How can I specify the order in which OpenSSH's SSH client (OpenSSH_7.5p1, OpenSSL 1.0.2k 26 Jan 2017; Git for Windows v2.11.1) offers the public/private key pairs to a SSH compliant daemon such as Apache Mina SSHD (Gerrit Code Review service). My intention is to try to authenticate with an Ed25519 public/private key pair before falling back to RSA.
Given the following standard Ed25519 and RSA public/private key pairs below the user's home directory:
~/.ssh/id_ed25519{,.pub}~/.ssh/id_rsa{,.pub}
and the following Host sections in the user's SSH configuration file (~/.ssh/config):
Host foobar foobar.example.com
Hostname foobar.example.com
IdentityFile ~/.ssh/id_ed25519
Host *
IdentityFile ~/.ssh/id_ed25519
IdentityFile ~/.ssh/id_rsa
when testing the SSH connection in debug mode:
$ ssh -Tv bob@foobar
debug1: Reading configuration data ~/.ssh/config
debug1: ~/.ssh/config line 49: Applying options for foobar
debug1: ~/.ssh/config line 63: Applying options for *
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: ~/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Offering ED25519 public key: ~/.ssh/id_ed25519
debug1: Server accepts key: pkalg ssh-ed25519 blen 51
debug1: Authentication succeeded (publickey).
I can see that OpenSSH's SSH client offers the RSA public/private key pair first. But why not first Ed25519?
Best Answer
Add
IdentitiesOnlyoption. Without this option SSH tries first default ssh-keys available:id_rsa,id_dsa,id_ecdsa. To change this behaviour replace your config with this one: