Using the IdentityFile directive in ssh_config when AgentForwarding is in use

deploymentgitsshssh-agent

Is it possible to specify forwarded keys using the IdentityFile directive in .ssh/config?

I ran into this quirk when trying to deploy some code via Capistrano/GIT on our production server. Both my personal and my work GIT keys are always loaded in my SSH agent and it just so happened that my personal key was added to the agent first. I use agent forwarding when deploying with Capistrano so when the host tried to authenticate the `git pull` operation it failed with the following error:

ERROR: Permission to `some repo` denied to `your user`.

because it attempted to authenticate using my personal git key before trying the appropriate key (which came later in the ssh agent) and assumed that I was accessing a foreign repo which I don't have permission to access. I can potentially just give my personal user access to every work repo but on my local machine I can get around this problem by defining custom domains in .ssh/config like so:

Host personal.github.com
Hostname github.com
User git
IdentityFile ~/.ssh/some_key

Host work.github.com
Hostname github.com
User git
IdentityFile ~/.ssh/some_other_key

and this way git never gets confused. Is it possible to create .ssh/config rules for forwarded keys on my production boxes so they always know which key to use when pulling in new code? Basically I want to be able to do:

Host work.github.com
Hostname github.com
User git
IdentityFile some_forwarded_key

Thanks!

Best Answer

You can use the public part of a key to to specify which private key you want to use from the forwarded agent. This requires creating an extra file (the public part of the key) on any “intermediate” machines (machines to which you forward your local ssh-agent).

Arrange for the intermediate machine to have a copy of the public part of the desired key in a convenient location (e.g. ~/.ssh/some_other_key.pub).

From any machine that already has the public part of the key:
```
scp some_other_key.pub intermediate:.ssh/
```
or, on the intermediate machine:
```
ssh-add -L | grep something_unique > ~/.ssh/some_other_key.pub
```
You may want to edit the trailing “comment” part of the public key to better identify the key’s origin/owner/purpose (or attempt to hide the same).
Use the pathname to the above public key file with -i or IdentityFile.
You may also need to use IdentitiesOnly yes (in .ssh/config or -o) to keep ssh from trying to offer any additional identities from your forwarded agent.

Related Solutions

Using Multiple SSH Public Keys

If you have an active ssh-agent that has your id_rsa key loaded, then the problem is likely that ssh is offering that key first. Unfuddle probably accepts it for authentication (e.g. in sshd) but rejects it for authorization to access the company repositories (e.g. in whatever internal software they use for authorization, possibly something akin to Gitolite). Perhaps there is a way to add your personal key to the company account (multiple people are not sharing the same corp_rsa public and private key files, are they?).

The IdentitiesOnly .ssh/config configuration keyword can be used to limit the keys that ssh offers to the remote sshd to just those specified via IdentityFile keywords (i.e. it will refuse to use any additional keys that happen to be loaded into an active ssh-agent).

Try these .ssh/config sections:

Host {personalaccount}.unfuddle.com
     IdentityFile ~/.ssh/id_rsa
     IdentitiesOnly yes

Host {companyaccount}.unfuddle.com
     IdentityFile ~/.ssh/{companyaccount}_rsa
     IdentitiesOnly yes

Then, use Git URLs like these:

git@{personalaccount}.unfuddle.com:{personalaccount}/my-stuff.git
git@{companyaccount}.unfuddle.com:{companyaccount}/their-stuff.git

If you want to take full advantage of the .ssh/config mechanism, you can supply your own custom hostname and change the default user name:

Host uf-mine
     HostName {personalaccount}.unfuddle.com
     User git
     IdentityFile ~/.ssh/id_rsa
     IdentitiesOnly yes

Host uf-comp
     HostName {companyaccount}.unfuddle.com
     User git
     IdentityFile ~/.ssh/{companyaccount}_rsa
     IdentitiesOnly yes

Then, use Git URLs like these:

uf-mine:{personalaccount}/my-stuff.git
uf-comp:{companyaccount}/their-stuff.git

How to force SSH to ignore the IdentityFile listed in “Host *” for one specific host

A Host line can have more than one pattern. And it's not really spelled out in the documentation, but a "!" (exclamation) at the beginning of a pattern means "if a host matches this pattern, then don't apply the section". In other words, you can do this:

Host * !special1 !special2
IdentityFile etc...

And it should match any host except "special1" and "special2".

I don't think the order of the patterns is important. The hostname being checked has to match one non-exclamation pattern, and it has to not match any exclamation patterns.

Best Answer

Related Solutions

Using Multiple SSH Public Keys

How to force SSH to ignore the IdentityFile listed in “Host *” for one specific host

Related Question