I've tried a multitude of things to get this working but despite having the AddKeysToAgent variable set to yes in my ssh_config the keys are not getting added.
This is my ssh-config:
Host *
AddKeysToAgent yes
Host remote
HostName /*hostname for remote here*/
User dcaglar2
IdentityFile ~/.ssh/personal_laptop
IdentitiesOnly yes
Host git
HostName github.com
User git
IdentityFile ~/.ssh/git
IdentitiesOnly yes
and running
ssh-add -l
returns
The agent has no identites.
I've checked the man pages ssh, ssh_config, but wasn't able to find anything.
I know that I can add a line to my .bashrc as a substitute but I just want to know what's wrong at this point.
From the description of AddKeysToAgent in the ssh_config manual:
If this option is set to yes and a key is loaded from a file, the key and its passphrase are added to the agent with the default lifetime, as if by ssh-add(1).
If I'm not mistaken, a key will be added to the agent the first time it's used. So try connecting to a remote and then run ssh-add -l again, you should then see the corresponding key in the output.
Related
I've found that when running ssh from the command line on my system is different than running it from the ~/.ssh/config file. But I'm not sure how to fix it or if its a problem with the program itself.
I have a server (blueberry.local) and a client (xps.local). Both have a user named bob. Both can resolve each-other with the host command from either box.
The server is running sshd with the following configuration (/etc/ssh/sshd_config):
UsePAM yes
Banner none
AddressFamily any
Port 22
X11Forwarding no
PermitRootLogin no
GatewayPorts no
PasswordAuthentication no
KbdInteractiveAuthentication no
PrintMotd no
AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys2 /etc/ssh/authorized_keys.d/%u
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
KexAlgorithms sntrup761x25519-sha512#openssh.com,curve25519-sha256,curve25519-sha256#libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305#openssh.com,aes256-gcm#openssh.com,aes128-gcm#openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm#openssh.com,hmac-sha2-256-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128#openssh.com
LogLevel INFO
UseDNS no
And from my client I'm running ssh with this configuration (~/.ssh/config):
Host blueberry.stark.local
Port 22
HostName blueberry.local
IdentityFile ~/.ssh/blueberry_rsa
IdentitiesOnly yes
When running ssh from the command line like this:
ssh bob#blueberry.local -i ~/.ssh/blueberry_rsa
The command works and I can successfully connect via ssh to the server.
However, when running ssh from the command line using the client configuration like this:
ssh bob#blueberry.local
I get an authentication error:
bob#blueberry.local: Permission denied (publickey).
What's going on here? I've tried to remove configuration properties and the like but it never works.
What's even stranger is that I have another client configuration just like that that works without any issues at all...
The issue is likely caused by two factors:
Based on your example command, your Host and HostName values are mixed up:
Host <this should be what you type on the CLI>
...
HostName <The real hostname of the server>
...
This means ssh isn't actually going to use any of the configuration you provided. Making the following change should work.
Host blueberry.local
Port 22
HostName blueberry.stark.local
IdentityFile ~/.ssh/blueberry_rsa
IdentitiesOnly yes
This is most likely if the following command works with the configuration you posted:
ssh bob#blueberry.starlink.local
If you expected ssh to just try all of your private keys until it found the right one, (~/.ssh/blueberry_rsa), its likely you haven't added it to your ssh-agent (you can confirm by running ssh-add -L and check the output.
by default ssh will check these paths, then any additional keys in the agent:
~/.ssh/id_rsa
~/.ssh/id_ecdsa
~/.ssh/id_ecdsa_sk
~/.ssh/id_ed25519
~/.ssh/id_ed25519_sk
~/.ssh/id_xmss
~/.ssh/id_dsa
Its likely you only have ~/.ssh/id_rsa in your agent which is what is throwing the
When in trouble, its always helpful to run ssh -vvv <rest of your command> to see whats happening under the hood 😉.
I'm trying to auto load key to ssh-agent so that I don't need to ssh-add all the key manually one by one...
Here's my ~/.ssh/config --
Host *
UseKeychain yes
AddKeysToAgent yes
IdentityFile /home/i331281/.ssh/git_pri_key
Host jenkins
HostName jenkins1.myorg.org
UseKeychain yes
AddKeysToAgent yes
IdentityFile /home/i331281/.ssh/jenkins_pri_key
But I found after I login ssh-agent with -- "ssh-agent bash"
the key list is always empty --
> ssh-add -l
The agent has no identities.
My ssh client's version is -- OpenSSH_7.2p2, OpenSSL 1.0.2p-fips 14 Aug 2018 -- so I think it should support that "AddKeysToAgent" option.
Please kind have check if my .ssh/config is wrong? and how to fix it? Thanks
Regards
Eisen
One of my weekly scripts won't log into a LAN server now. I added another entry into ~/.ssh/config and the crontab entry isn't taking. I just tried fixing it by specifically adding that server parameters (it was represented by a wildcard entry when the crontab was working)
Load key "/Users/rich/.ssh/id_rsa": Permission denied
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password)
How can I fix this so the cron has access to that box? I tried copying over the key after my local change.
Here is my ~/.ssh/config file:
Host *
AddKeysToAgent yes
UseKeychain yes
Host uiop.local
HostName uiop.local
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_rsa
User rich
Host qwer.local
HostName qwer.local
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_rsa
User rich
Host github.com
HostName github.com
User Wonderful
IdentityFile ~/.ssh/id_ed25519
IdentitiesOnly yes
I also use rsync on a LAN box that isn't working now. With one key is present, it's assumed that key is the only one to use. But with the config file above, it still gets confused. I'm questioning if the keys are added to the agent.
Was permissions. Set to 600 on the whole .ssh directory.
I'm writing my ssh config file and want to send agents with selected keys. No keys are to leave my local machine and the sent agents may only have the necessary keys. All keys require passwords. I don't want to type password multiple times in sequence, e.g. when accessing server, but don't mind entering it again whenever I access a machine. The following shows how I want to connect to the different servers:
local [--> git (git key)]
local --> frontend (compute key)
local --> frontend (compute key) --> server (compute key)
local --> frontend (compute key) [--> git] (git key)
local --> otherserver (passwort & app)
local --> otherserver (passwort & app) [--> git] (git key)
local --> somwherelse (else key)
My local ssh config:
Host server
HostName server.compute.net
User user1
AddKeysToAgent yes
IdentitiesOnly yes
IdentityFile ~/.ssh/id_ed25519_compute
IdentityFile ~/.ssh/id_ed25519_git
ProxyJump frontend
Host frontend
HostName frontend.compute.net
User user1
AddKeysToAgent yes
IdentitiesOnly yes
IdentityFile ~/.ssh/id_ed25519_compute
IdentityFile ~/.ssh/id_ed25519_git
Host otherserver
Hostname otherserver.com
User user2
AddKeysToAgent yes
IdentitiesOnly yes
IdentityFile ~/.ssh/id_ed25519_git
Host somwhereelse
Hostname somewhereelse.com
User user3
AddKeysToAgent yes
IdentitiesOnly yes
IdentityFile ~/.ssh/id_ed25519_else
Host git
Hostname git.url.com
IdentitiesOnly yes
IdentityFile ~/.ssh/id_ed25519_git
But when I try git pull on frontend, I get:
git#git.url.com: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Locally, git access works. I made sure an agent was running before logging in to frontend. What do I do wrong?
In order for ssh on one of the remote hosts to use keys stored in the ssh-agent running on local, you must enable agent forwarding, either by using the -A option on the command line or by adding ForwardAgent yes to the configuration for the remote host.
I cannot for the life of me figure out why my SSH config is forwarding the wrong key. I have two keys, we'll call them home_rsa and work_rsa. I have done the following:
eval `ssh-agent`
ssh-add -K ~/.ssh/home_rsa
ssh-add -K ~/.ssh/work_rsa
Here is my ~/.ssh/config file:
Host home
ForwardAgent yes
HostName home.com
IdentityFile ~/.ssh/home_rsa
IdentitiesOnly yes
User home
Host work
ForwardAgent yes
HostName work.com
IdentitiesOnly yes
IdentityFile ~/.ssh/work_rsa
User work
Host bitbucket
IdentityFile ~/.ssh/home_rsa
Host bitbucket-work
IdentityFile ~/.ssh/work_rsa
Host bitbucket*
HostName bitbucket.com
User git
When I run the following…
ssh work
ssh git#bitbucket.org
…Bitbucket reports that I'm using my home user, though I'm clearly logged into my work server and should be forwarding my work key. If I add my SSH identities in the reverse order and run the same code above, Bitbucket reports I'm using my work user. Running ssh-add -l from my work server, I see that both SSH keys are being forwarded, but isn't that the job of IdentitiesOnly yes?
Really confused as to what's going on here.
Really confused as to what's going on here.
ForwardAgent option forwards the connection to your agent, with all the keys inside and does not forward your local ~/.ssh/config to remote host. What you do on the work host is controlled by your configuration on that host.
What are you trying to do with that?
You need to update your ssh keys with their equivalent bitbucket account first at their website (work user with work_rsa, user with user_rsa). Then maybe this could help.
Host bitbucket-work
HostName bitbucket.org
IdentitiesOnly yes
IdentityFile ~/.ssh/work_rsa
User work
Usage:
ssh bitbucket-work
sshbitbucket
As written in the accepted answer, selecting keys used for authentication is not related to what keys are forwarded. Separate ssh-agents are needed. Luckily that is easily configured.
From ssh-agent (1) we can learn that it takes a -a option to specify bind_address, and ssh_config (5) tells that ForwardAgent can be set to what turns out to be the same value.
Prepare your agents:
eval `ssh-agent -a ~/.ssh/home.agent`
ssh-add ~/.ssh/home_rsa
eval `ssh-agent -a ~/.ssh/work.agent`
ssh-add ~/.ssh/work_rsa
unset SSH_AUTH_SOCK SSH_AGENT_PID
Configure your ssh:
Host work
HostName work.example.com
ForwardAgent ~/.ssh/work.agent
IdentityAgent ~/.ssh/work.agent
Host home
HostName home.example.com
ForwardAgent ~/.ssh/home.agent
IdentityAgent ~/.ssh/home.agent
That should completely separate home and work keys. Setting IdentityAgent to a different value than ForwardAgent is left as an exercise for someone exposed to a threat level calling for such complexity.