Categories
Uncategorized

How to ensure that OpenSSH client uses explicitly configured authentication identity

Ensure that OpenSSH client uses explicitly configured authentication identity even if authentication agent offers more identities.

Use IdentitiesOnly OpenSSH client parameter to control this behavior.

IdentitiesOnly
    Specifies that ssh(1) should only use the authentication identity and certificate files explicitly configured in the ssh_config files or passed on the ssh(1)
    command-line, even if ssh-agent(1) or a PKCS11Provider offers more identities.  The argument to this keyword must be yes or no (the default).  This option is
    intended for situations where ssh-agent offers many different identities.
ssh_config manual page

List all identities currently represented by the agent.

$ ssh-add -l
2048 SHA256:KRx5Bc6JPu2tN8Vs3m8j3pet2l9jk2lw7nG8Ko8xWT6E /home/milosz/.ssh/milosz (RSA)
2048 SHA256:2neJy5PhdL8b02RolxSBsZsyggGwMIgZa022ZMZsay3v /home/milosz/.ssh/ansible (RSA)

By default OpenSSH client will try every available identity until it either successfully matches the remote user or exhausts these identities.

$ ssh -o IdentitiesOnly=no internal.example.org -l ansible -vv : 2>&1 | awk '/Offering public key/ {print}; END{print}'
debug1: Offering public key: RSA SHA256:KRx5Bc6JPu2tN8Vs3m8j3pet2l9jk2lw7nG8Ko8xWT6E /home/milosz/.ssh/milosz
debug1: Offering public key: RSA SHA256:2neJy5PhdL8b02RolxSBsZsyggGwMIgZa022ZMZsay3v /home/milosz/.ssh/ansible
debug1: Exit status 0

OpenSSH client with enabled IdentitiesOnly option will try explicitly provided identities even if authentication agent offers more identities.

$ ssh -o IdentitiesOnly=yes internal.example.org -l ansible -vv : 2>&1 | awk '/Offering public key/ {print}; END{print}'
ansible@internal.example.org: Permission denied (publickey).
$ ssh -o IdentitiesOnly=yes internal.example.org -l ansible -i ~/.ssh/milosz -vv : 2>&1 | awk '/Offering public key/ {print}; END{print}'
debug1: Offering public key: RSA SHA256:KRx5Bc6JPu2tN8Vs3m8j3pet2l9jk2lw7nG8Ko8xWT6E /home/milosz/.ssh/milosz
ansible@internal.example.org: Permission denied (publickey).
$ ssh -o IdentitiesOnly=yes internal.example.org -l ansible -i ~/.ssh/ansible -vv : 2>&1 | awk '/Offering public key/ {print}; END{print}'
debug1: Offering public key: RSA SHA256:2neJy5PhdL8b02RolxSBsZsyggGwMIgZa022ZMZsay3v /home/milosz/.ssh/ansible
debug1: Exit status 0

Use ~/.ssh/config OpenSSH client configuration to transparently take advantage of this option.

# OpenSSH SSH client configuration
Host *
  IdentitiesOnly yes
Host internal.example.org
  Port 22
  HostName 192.0.2.134
  User ansible
  IdentityFile ~/.ssh/ansible
Host jenkins_master
  HostName 10.20.5.2
  Port 22
  User admin
  IdentityFile ~/.ssh/jenkins_master
Host jenkins_node_01
  HostName 10.20.5.11
  Port 22
  User node_admin
  IdentityFile ~/.ssh/jenkins_node
Host jenkins_node_02
  HostName 10.20.5.12
  Port 22
  User node_admin
  IdentityFile ~/.ssh/jenkins_node

IdentitiesOnly option will be enforced, so remember to always define IdentityFile.

$ ssh internal.example.org -vv : 2>&1 | awk '/Offering public key/ {print}; END{print}'
debug1: Offering public key: RSA SHA256:2neJy5PhdL8b02RolxSBsZsyggGwMIgZa022ZMZsay3v /home/milosz/.ssh/ansible
debug1: Exit status 0