Re: Problem with ssh identies

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/09/2010 08:09 PM, Bill Davidsen wrote:
> <div class="moz-text-flowed" style="font-family: -moz-fixed">H. Willstrand wrote:
>> On Sat, Jan 9, 2010 at 2:32 AM, Bill Davidsen<davidsen@xxxxxxx>  wrote:
>>> I am using the "command=" feature heavily as part of a backup system, which
>>> allows me to run commands on a remote server without allowing general
>>> function. I give the public key for a functionality to the server, add to
>>> authorized_keys, and can closely control the users. The key is chosen by use
>>> of the "-i" option to ssh.
>>>
>>> All of this has been working nicely for several years.
>>>
>>> However, it seems that ssh offers the default key *first* to the server,
>>> rather than the one specified on the command line. That's so bizarre I spent
>>> time checking that it really happened before asking here.
>>>
>>> So the question is, how can I get ssh to offer the key I give it in the
>>> command line first? Preferably as the only key offered, actually, but
>>> definitely before the default key, which on several machines drops me into
>>> another application.
>>>
>>> Is there some clever means or option I missed?
>>>
>>
>> Have you tried the -F option instead?
>>
> No, if I saw a config option to use the key the command line provides first I
> would put it in the system config file. Is there an option I missed? Having an
> option file for each key would seem a roundabout way to do things.

There's two ways to do it.  You can create "~/.ssh/config" files for
each local user that specifies keys.  Or modify /etc/ssh/ssh_config and
put in:

	Host host.domain.tld
		IdentityFile /path/to/id_dsa/file

	Host host1.domain.tld
		IdentityFile /path/to/id_dsa-or-id_rsa/file

to make it global.  The paths to the filenames can use normal some
special tokens ("%d", "%u", etc.) to form the path.  See the
"IdentityFile" bit of "man ssh_config"

> Or have I missed your point? The issue is that I need different keys depending
> on what I'm doing, and the man page seems to say that the -i key will be used
> instead of the default, which is just what I need.

I think the "-i" is run in the context of the user actually running the
ssh command, not the user named in the "user@host" or "-l" options in
the command.

If this is right and you run the ssh commad as "fred", and do something
like:

	ssh barney@remotehost
or
	ssh -l barney remotehost

the identity file will attempt to be read as user "fred".  Since the 
files are usually set with mode 600 (rw-------) and owned by their
user ("barney" in this case), fred can't read barney's files and ssh
sends out the system-wide default.

That's just an educated guess, you understand.  I've never used
identity files from another user.  90% of what I do via ssh is
interactive.  Running the ssh command with "-vvv" and watching the
output may reveal something completely different.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                      ricks@xxxxxxxx -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-           "I understand Windows 2000 has a Y2K problem."           -
----------------------------------------------------------------------
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux