Win32-OpenSSH icon indicating copy to clipboard operation
Win32-OpenSSH copied to clipboard

Published 20 hours ago verified publisher icon PowerShell

ssh-agent is ignored when with "IdentitiesOnly yes" config file setting

Open bersbersbers opened this issue 5 years ago • 5 comments

"OpenSSH for Windows" version 8.1.0.0

Server OperatingSystem Linux

Client OperatingSystem Windows 10 Pro

What is failing When using IdentitiesOnly yes in an SSH config, ssh.exe always asks for the encryption key of a an encrypted authentication key, even if

  • this key is loaded in ssh-agent and
  • AddKeysToAgent yes is set in the same config files (even though the key is added to the agent). I do not think this is intended behavior.

This behavior has been described in https://github.com/PowerShell/Win32-OpenSSH/issues/1133#issuecomment-417090885, but that issue has been closed, probably because there were a host of tangent issues discussed.

Expected output The key should be obtainted from the ssh-agent.

Actual output It is not.

bersbersbers avatar Feb 12 '20 08:02 bersbersbers

I'm also having this issue on Windows 10.

If I leave out IdentitiesOnly I am not asked for a passphrase, if I add IdentitiesOnly yes I am prompted for the passphrase.

If I then add say 15 identities to the config file without IdentitiesOnly, I get the "Too many authentication failures" error and I can't log in at all.

Is this being worked on at all?

bbeckford avatar Jan 28 '21 17:01 bbeckford

I have also just encountered this issue.

Any update?

jondspicer avatar Jan 29 '21 09:01 jondspicer

Anybody home??

Dean-NC avatar May 22 '21 23:05 Dean-NC

Hey, I have exactly the same issue. There is a high possibility that this is by design...

From man: IdentitiesOnly

Specifies that ssh(1) should only use the authentication identity files configured in the ssh_config files, even if ssh-agent(1) offers more identities. The argument to this keyword must be ''yes'' or ''no''. This option is intended for situations where ssh-agent offers many different identities. The default is ''no''.

I have found a nice post on superuser.com.

Also, the workaround would be: replace IdentitiesOnly yes with AddKeysToAgent yes and run ssh-agent -D. This will work just perfect until you add more than 4~5 keys (i guess that adding order matters) to the ssh-agent. :weary:

The mystery is: why does the config ignore IdentityFile when the IdentitiesOnly is set to no...

MiroslavMikus avatar Feb 22 '22 09:02 MiroslavMikus

Specifies that ssh(1) should only use the authentication identity files configured in the ssh_config files, even if ssh-agent(1) offers more identities.

To me, this does not necessarily imply that ssh could not also ask ssh-agent for those authentication identity files which are configured (unless there is a technical hurdle that I am overlooking).

This will work just perfect until you add more than 4~5 keys

Which may very easily happen due to #1487.

bersbersbers avatar Feb 25 '22 10:02 bersbersbers

In linux OpenSSH, i have 6+ keys in the ssh-agent, which usualy is too many. So i use -o IdentitiesOnly=yes -i publickey.pub (prepared the config file for convenience) to nail it down to only the private key in the agent that matches the specified public key.

OpenSSH man page:

IdentityFile may be used in conjunction with IdentitiesOnly to select which identities in an agent are offered during authentication

Tabiskabis avatar Nov 02 '22 09:11 Tabiskabis