I’ve realized over the past few months that the ssh’s command flag "-i" (which refers to specify an identity file) doesn’t work properly when I try to authenticate to some server.
From what I understood, I could use this flag to specify an ssh key to authenticate to the server, avoiding the need to test over each key added to my agent and possibly overflow the connection attempts.
What I’m trying now is to change the user to authenticate to git (the question is not git specific), and what is happening is this:
There’s no problem at all with the keys, both have been added to the agent and they have the correct file permissions.
To circumvent this I had to remove all the keys from my agent and re-add only the user2.pem, then it authenticated to user2.
Just to reiterate, this is NOT git specific, as I had this problem with common linux servers as well, and I couldn’t find any solution besides configuring the hosts in the
~/.ssh/config file. I’m using git as example just because it is easier to test.
Am I using "ssh -i" flag in the wrong way?
From the descrition of your problem, this is related to (the absence of) this option seen in
Specifies that ssh(1) should only use the authentication identity and certificate files explicitly configured in the
ssh_configfiles or passed on the ssh(1) command-line, even if ssh-agent(1) or a
PKCS11Provideroffers more identities. The argument to this keyword must be
no(the default). This option is intended for situations where ssh-agent offers many different identities.
You are also probably enabling the
AddKeysToAgent option (which is handy) which will automatically keep user1 loaded in the agent after first use.
So you should run this:
ssh -T -o IdentitiesOnly=yes -i ~/.ssh/user2.pem [email protected]
This will prevent the identity for user1 to be ever considered for authentication and force the use of the identity for user2.
Alternately (but not so useful) unsetting the environment variable
SSH_AUTH_SOCK will render the ssh agent unavailable to the command. This would have a similar result, except you'd be asked each time the passphrase again instead of the agent providing the decrypted key itself in the former case once loaded.
Answered by A.B on November 26, 2021
1 Asked on November 18, 2021 by simplex123
6 Asked on November 18, 2021 by martin-klosi
1 Asked on November 18, 2021 by fahad-alduraibi
1 Asked on November 18, 2021
3 Asked on November 18, 2021
1 Asked on November 18, 2021 by bartholomew
2 Asked on November 18, 2021 by jmcph4
0 Asked on November 18, 2021 by 3therk1ll
0 Asked on November 18, 2021 by rcook
0 Asked on November 18, 2021 by currin-samand
1 Asked on November 18, 2021 by standupp
1 Asked on November 18, 2021 by sandren-troy-milante
0 Asked on November 16, 2021
2 Asked on November 16, 2021
1 Asked on November 16, 2021
3 Asked on November 16, 2021
Get help from others!