Using the IdentityFile directive in ssh_config when AgentForwarding is in use
You can use the public part of a key to to specify which private key you want to use from the forwarded agent. This requires creating an extra file (the public part of the key) on any “intermediate” machines (machines to which you forward your local ssh-agent).
Arrange for the intermediate machine to have a copy of the public part of the desired key in a convenient location (e.g.
~/.ssh/some_other_key.pub).From any machine that already has the public part of the key:
scp some_other_key.pub intermediate:.ssh/or, on the intermediate machine:
ssh-add -L | grep something_unique > ~/.ssh/some_other_key.pubYou may want to edit the trailing “comment” part of the public key to better identify the key’s origin/owner/purpose (or attempt to hide the same).
Use the pathname to the above public key file with
-iorIdentityFile.You may also need to use
IdentitiesOnly yes(in.ssh/configor-o) to keep ssh from trying to offer any additional identities from your forwarded agent.
Related videos on Youtube
01 : 49
13 : 59
10 : 06
07 : 47
02 : 12
skryl
Updated on September 18, 2022Comments
-
skryl over 1 year
Is it possible to specify forwarded keys using the IdentityFile directive in .ssh/config?
I ran into this quirk when trying to deploy some code via Capistrano/GIT on our production server. Both my personal and my work GIT keys are always loaded in my SSH agent and it just so happened that my personal key was added to the agent first. I use agent forwarding when deploying with Capistrano so when the host tried to authenticate the `git pull` operation it failed with the following error:
ERROR: Permission to `some repo` denied to `your user`.
because it attempted to authenticate using my personal git key before trying the appropriate key (which came later in the ssh agent) and assumed that I was accessing a foreign repo which I don't have permission to access. I can potentially just give my personal user access to every work repo but on my local machine I can get around this problem by defining custom domains in .ssh/config like so:
Host personal.github.com
Hostname github.com
User git
IdentityFile ~/.ssh/some_keyHost work.github.com
Hostname github.com
User git
IdentityFile ~/.ssh/some_other_keyand this way git never gets confused. Is it possible to create .ssh/config rules for forwarded keys on my production boxes so they always know which key to use when pulling in new code? Basically I want to be able to do:
Host work.github.com
Hostname github.com
User git
IdentityFile some_forwarded_keyThanks!
-
Tracy Fu over 8 yearsThis is the only thing that has worked for me from 10 other solutions.
-
bschlueter over 8 yearsPlaying with this I realized that if you put the public key associated with the private key you wish to use in ~/.ssh/id_rsa.pub on the intermediate machine, it will be used by default, no need for any configuration in ~/.ssh/config. -
blablabla over 7 yearsThanks Chris and bschlueter! I now connect with: ssh someserver -t "ssh-add -L | grep something_unique > ~/.ssh/id_rsa.pub; cd some/other/folder; bash --login"
-
Lars Nyström over 5 yearsWhen I try this with
ssh -v -T ...the server accepts the public key, but then ssh saysNo such identity: /home/name/.ssh/id_rsa: No such file or directoryand subsequently the authentication fails. I have ForwardAgent enabled in all my configs. What could be the problem?
