I'm writing my ssh config file and want to send agents with selected keys. No keys are to leave my local machine and the sent agents may only have the necessary keys. All keys require passwords. I don't want to type password multiple times in sequence, e.g. when accessing server, but don't mind entering it again whenever I access a machine. The following shows how I want to connect to the different servers:
local [--> git (git key)]
local --> frontend (compute key)
local --> frontend (compute key) --> server (compute key)
local --> frontend (compute key) [--> git] (git key)
local --> otherserver (passwort & app)
local --> otherserver (passwort & app) [--> git] (git key)
local --> somwherelse (else key)
My local ssh config:
Host server
HostName server.compute.net
User user1
AddKeysToAgent yes
IdentitiesOnly yes
IdentityFile ~/.ssh/id_ed25519_compute
IdentityFile ~/.ssh/id_ed25519_git
ProxyJump frontend
Host frontend
HostName frontend.compute.net
User user1
AddKeysToAgent yes
IdentitiesOnly yes
IdentityFile ~/.ssh/id_ed25519_compute
IdentityFile ~/.ssh/id_ed25519_git
Host otherserver
Hostname otherserver.com
User user2
AddKeysToAgent yes
IdentitiesOnly yes
IdentityFile ~/.ssh/id_ed25519_git
Host somwhereelse
Hostname somewhereelse.com
User user3
AddKeysToAgent yes
IdentitiesOnly yes
IdentityFile ~/.ssh/id_ed25519_else
Host git
Hostname git.url.com
IdentitiesOnly yes
IdentityFile ~/.ssh/id_ed25519_git
But when I try git pull on frontend, I get:
git#git.url.com: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Locally, git access works. I made sure an agent was running before logging in to frontend. What do I do wrong?
In order for ssh on one of the remote hosts to use keys stored in the ssh-agent running on local, you must enable agent forwarding, either by using the -A option on the command line or by adding ForwardAgent yes to the configuration for the remote host.
Related
I've tried a multitude of things to get this working but despite having the AddKeysToAgent variable set to yes in my ssh_config the keys are not getting added.
This is my ssh-config:
Host *
AddKeysToAgent yes
Host remote
HostName /*hostname for remote here*/
User dcaglar2
IdentityFile ~/.ssh/personal_laptop
IdentitiesOnly yes
Host git
HostName github.com
User git
IdentityFile ~/.ssh/git
IdentitiesOnly yes
and running
ssh-add -l
returns
The agent has no identites.
I've checked the man pages ssh, ssh_config, but wasn't able to find anything.
I know that I can add a line to my .bashrc as a substitute but I just want to know what's wrong at this point.
From the description of AddKeysToAgent in the ssh_config manual:
If this option is set to yes and a key is loaded from a file, the key and its passphrase are added to the agent with the default lifetime, as if by ssh-add(1).
If I'm not mistaken, a key will be added to the agent the first time it's used. So try connecting to a remote and then run ssh-add -l again, you should then see the corresponding key in the output.
One of my weekly scripts won't log into a LAN server now. I added another entry into ~/.ssh/config and the crontab entry isn't taking. I just tried fixing it by specifically adding that server parameters (it was represented by a wildcard entry when the crontab was working)
Load key "/Users/rich/.ssh/id_rsa": Permission denied
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password)
How can I fix this so the cron has access to that box? I tried copying over the key after my local change.
Here is my ~/.ssh/config file:
Host *
AddKeysToAgent yes
UseKeychain yes
Host uiop.local
HostName uiop.local
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_rsa
User rich
Host qwer.local
HostName qwer.local
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_rsa
User rich
Host github.com
HostName github.com
User Wonderful
IdentityFile ~/.ssh/id_ed25519
IdentitiesOnly yes
I also use rsync on a LAN box that isn't working now. With one key is present, it's assumed that key is the only one to use. But with the config file above, it still gets confused. I'm questioning if the keys are added to the agent.
Was permissions. Set to 600 on the whole .ssh directory.
I'm having two gitlab.com accounts and since GitLab does not allow me to use the same ssh key, I have to generate two ssh keys.
I'm trying to config the ssh, here is my config:
Host company
HostName gitlab.com
User vunh
IdentityFile ~/.ssh/id_rsa
Host private
Hostname gitlab.com
User hoangvu271297
IdentityFile ~/.ssh/private
Both accounts are logged in to the same domain gitlab.com.
Previously, I did not config anything because I only use the id_rsa.
Until now the id_rsa still works fine but I can not find a way out to clone the project using the private one.
I tried many configs on the Internet but no one works.
Is there any way to deal with this situation? I knew it is configurable if there are two different hosts such as gitlab.com and work.gitlab.com
Many thanks.
The documentation covers this scenario.
You should setup your ssh config using two different Host configurations for each user. Say, user_1.gitlab.com and user_2.gitlab.com. You can use whatever value you want here, these are just examples.
# User1 Account Identity
Host user_1.gitlab.com
Hostname gitlab.com
PreferredAuthentications publickey
IdentityFile ~/.ssh/example_ssh_key1
# User2 Account Identity
Host user_2.gitlab.com
Hostname gitlab.com
PreferredAuthentications publickey
IdentityFile ~/.ssh/example_ssh_key2
You then use these Host keys when setting up your git repos.
For example, to clone using user_1 account:
git clone git#user_1.gitlab.com:gitlab-org/gitlab.git
Note that you should NOT provide your username as the User configuration in your SSH config. The username you use to connect to GitLab over SSH is always git. The identity file (ssh key), not ssh user, determines the GitLab user account.
I'm on my work computer, which is already [successfully] configured to connect to our GitHub account and authenticate our commits using SSH and GPG keys, respectively. Before I began changing things, my original ~/.ssh/config file was this:
Host *
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_rsa
To add my personal account, I generated a new SSH key (~/.ssh/id_rsa_personal), added the .pub part to my personal GitHub account, and modified my ~/.ssh/config file to the following:
# Default
Host *
AddKeysToAgent yes
UseKeychain yes
# Personal
Host github.com-PERSONAL
HostName github.com
User git
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_rsa_personal
# Work
Host github.com
HostName github.com
IdentityFile ~/.ssh/id_rsa
After this change, I am still able to interact with my work account without a problem – nothing has changed. However, when I attempt to interact with my personal account using
git clone git#github-PERSONAL:nikblanchet/myrepository.git
, I am getting an error message:
Cloning into 'myrepository'...
ssh: Could not resolve hostname github-personal: nodename nor servname provided, or not known
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
To narrow down the issue, I decided to try a simple SSH authentication
ssh -T git#github.com-PERSONAL
, and, surprisingly, it worked!
Hi nikblanchet! You've successfully authenticated, but GitHub does not provide shell access.
(Running ssh -T git#github.com authenticated with my work account, as expected.)
So now I'm lost. Why can ssh -T resolve the hostname while git clone cannot? What did I miss?
You URL should be:
github.com-PERSONAL:nikblanchet/myrepository.git
You tried first
git#github-PERSONAL:nikblanchet/myrepository.git
That is why it was not able to resolve github-PERSONAL, which is not in your config file.
github.com-PERSONAL is.
Note: no need to add the git# part: your config file does specify the User git already.
I cannot for the life of me figure out why my SSH config is forwarding the wrong key. I have two keys, we'll call them home_rsa and work_rsa. I have done the following:
eval `ssh-agent`
ssh-add -K ~/.ssh/home_rsa
ssh-add -K ~/.ssh/work_rsa
Here is my ~/.ssh/config file:
Host home
ForwardAgent yes
HostName home.com
IdentityFile ~/.ssh/home_rsa
IdentitiesOnly yes
User home
Host work
ForwardAgent yes
HostName work.com
IdentitiesOnly yes
IdentityFile ~/.ssh/work_rsa
User work
Host bitbucket
IdentityFile ~/.ssh/home_rsa
Host bitbucket-work
IdentityFile ~/.ssh/work_rsa
Host bitbucket*
HostName bitbucket.com
User git
When I run the following…
ssh work
ssh git#bitbucket.org
…Bitbucket reports that I'm using my home user, though I'm clearly logged into my work server and should be forwarding my work key. If I add my SSH identities in the reverse order and run the same code above, Bitbucket reports I'm using my work user. Running ssh-add -l from my work server, I see that both SSH keys are being forwarded, but isn't that the job of IdentitiesOnly yes?
Really confused as to what's going on here.
Really confused as to what's going on here.
ForwardAgent option forwards the connection to your agent, with all the keys inside and does not forward your local ~/.ssh/config to remote host. What you do on the work host is controlled by your configuration on that host.
What are you trying to do with that?
You need to update your ssh keys with their equivalent bitbucket account first at their website (work user with work_rsa, user with user_rsa). Then maybe this could help.
Host bitbucket-work
HostName bitbucket.org
IdentitiesOnly yes
IdentityFile ~/.ssh/work_rsa
User work
Usage:
ssh bitbucket-work
sshbitbucket
As written in the accepted answer, selecting keys used for authentication is not related to what keys are forwarded. Separate ssh-agents are needed. Luckily that is easily configured.
From ssh-agent (1) we can learn that it takes a -a option to specify bind_address, and ssh_config (5) tells that ForwardAgent can be set to what turns out to be the same value.
Prepare your agents:
eval `ssh-agent -a ~/.ssh/home.agent`
ssh-add ~/.ssh/home_rsa
eval `ssh-agent -a ~/.ssh/work.agent`
ssh-add ~/.ssh/work_rsa
unset SSH_AUTH_SOCK SSH_AGENT_PID
Configure your ssh:
Host work
HostName work.example.com
ForwardAgent ~/.ssh/work.agent
IdentityAgent ~/.ssh/work.agent
Host home
HostName home.example.com
ForwardAgent ~/.ssh/home.agent
IdentityAgent ~/.ssh/home.agent
That should completely separate home and work keys. Setting IdentityAgent to a different value than ForwardAgent is left as an exercise for someone exposed to a threat level calling for such complexity.