I cannot for the life of me figure out why my SSH config is forwarding the wrong key. I have two keys, we'll call them home_rsa and work_rsa. I have done the following:
eval `ssh-agent`
ssh-add -K ~/.ssh/home_rsa
ssh-add -K ~/.ssh/work_rsa
Here is my ~/.ssh/config file:
Host home
ForwardAgent yes
HostName home.com
IdentityFile ~/.ssh/home_rsa
IdentitiesOnly yes
User home
Host work
ForwardAgent yes
HostName work.com
IdentitiesOnly yes
IdentityFile ~/.ssh/work_rsa
User work
Host bitbucket
IdentityFile ~/.ssh/home_rsa
Host bitbucket-work
IdentityFile ~/.ssh/work_rsa
Host bitbucket*
HostName bitbucket.com
User git
When I run the following…
ssh work
ssh git#bitbucket.org
…Bitbucket reports that I'm using my home user, though I'm clearly logged into my work server and should be forwarding my work key. If I add my SSH identities in the reverse order and run the same code above, Bitbucket reports I'm using my work user. Running ssh-add -l from my work server, I see that both SSH keys are being forwarded, but isn't that the job of IdentitiesOnly yes?
Really confused as to what's going on here.
Really confused as to what's going on here.
ForwardAgent option forwards the connection to your agent, with all the keys inside and does not forward your local ~/.ssh/config to remote host. What you do on the work host is controlled by your configuration on that host.
What are you trying to do with that?
You need to update your ssh keys with their equivalent bitbucket account first at their website (work user with work_rsa, user with user_rsa). Then maybe this could help.
Host bitbucket-work
HostName bitbucket.org
IdentitiesOnly yes
IdentityFile ~/.ssh/work_rsa
User work
Usage:
ssh bitbucket-work
sshbitbucket
As written in the accepted answer, selecting keys used for authentication is not related to what keys are forwarded. Separate ssh-agents are needed. Luckily that is easily configured.
From ssh-agent (1) we can learn that it takes a -a option to specify bind_address, and ssh_config (5) tells that ForwardAgent can be set to what turns out to be the same value.
Prepare your agents:
eval `ssh-agent -a ~/.ssh/home.agent`
ssh-add ~/.ssh/home_rsa
eval `ssh-agent -a ~/.ssh/work.agent`
ssh-add ~/.ssh/work_rsa
unset SSH_AUTH_SOCK SSH_AGENT_PID
Configure your ssh:
Host work
HostName work.example.com
ForwardAgent ~/.ssh/work.agent
IdentityAgent ~/.ssh/work.agent
Host home
HostName home.example.com
ForwardAgent ~/.ssh/home.agent
IdentityAgent ~/.ssh/home.agent
That should completely separate home and work keys. Setting IdentityAgent to a different value than ForwardAgent is left as an exercise for someone exposed to a threat level calling for such complexity.
Related
I've found that when running ssh from the command line on my system is different than running it from the ~/.ssh/config file. But I'm not sure how to fix it or if its a problem with the program itself.
I have a server (blueberry.local) and a client (xps.local). Both have a user named bob. Both can resolve each-other with the host command from either box.
The server is running sshd with the following configuration (/etc/ssh/sshd_config):
UsePAM yes
Banner none
AddressFamily any
Port 22
X11Forwarding no
PermitRootLogin no
GatewayPorts no
PasswordAuthentication no
KbdInteractiveAuthentication no
PrintMotd no
AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys2 /etc/ssh/authorized_keys.d/%u
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
KexAlgorithms sntrup761x25519-sha512#openssh.com,curve25519-sha256,curve25519-sha256#libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305#openssh.com,aes256-gcm#openssh.com,aes128-gcm#openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm#openssh.com,hmac-sha2-256-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128#openssh.com
LogLevel INFO
UseDNS no
And from my client I'm running ssh with this configuration (~/.ssh/config):
Host blueberry.stark.local
Port 22
HostName blueberry.local
IdentityFile ~/.ssh/blueberry_rsa
IdentitiesOnly yes
When running ssh from the command line like this:
ssh bob#blueberry.local -i ~/.ssh/blueberry_rsa
The command works and I can successfully connect via ssh to the server.
However, when running ssh from the command line using the client configuration like this:
ssh bob#blueberry.local
I get an authentication error:
bob#blueberry.local: Permission denied (publickey).
What's going on here? I've tried to remove configuration properties and the like but it never works.
What's even stranger is that I have another client configuration just like that that works without any issues at all...
The issue is likely caused by two factors:
Based on your example command, your Host and HostName values are mixed up:
Host <this should be what you type on the CLI>
...
HostName <The real hostname of the server>
...
This means ssh isn't actually going to use any of the configuration you provided. Making the following change should work.
Host blueberry.local
Port 22
HostName blueberry.stark.local
IdentityFile ~/.ssh/blueberry_rsa
IdentitiesOnly yes
This is most likely if the following command works with the configuration you posted:
ssh bob#blueberry.starlink.local
If you expected ssh to just try all of your private keys until it found the right one, (~/.ssh/blueberry_rsa), its likely you haven't added it to your ssh-agent (you can confirm by running ssh-add -L and check the output.
by default ssh will check these paths, then any additional keys in the agent:
~/.ssh/id_rsa
~/.ssh/id_ecdsa
~/.ssh/id_ecdsa_sk
~/.ssh/id_ed25519
~/.ssh/id_ed25519_sk
~/.ssh/id_xmss
~/.ssh/id_dsa
Its likely you only have ~/.ssh/id_rsa in your agent which is what is throwing the
When in trouble, its always helpful to run ssh -vvv <rest of your command> to see whats happening under the hood 😉.
I've tried a multitude of things to get this working but despite having the AddKeysToAgent variable set to yes in my ssh_config the keys are not getting added.
This is my ssh-config:
Host *
AddKeysToAgent yes
Host remote
HostName /*hostname for remote here*/
User dcaglar2
IdentityFile ~/.ssh/personal_laptop
IdentitiesOnly yes
Host git
HostName github.com
User git
IdentityFile ~/.ssh/git
IdentitiesOnly yes
and running
ssh-add -l
returns
The agent has no identites.
I've checked the man pages ssh, ssh_config, but wasn't able to find anything.
I know that I can add a line to my .bashrc as a substitute but I just want to know what's wrong at this point.
From the description of AddKeysToAgent in the ssh_config manual:
If this option is set to yes and a key is loaded from a file, the key and its passphrase are added to the agent with the default lifetime, as if by ssh-add(1).
If I'm not mistaken, a key will be added to the agent the first time it's used. So try connecting to a remote and then run ssh-add -l again, you should then see the corresponding key in the output.
i have a question regarding port forwarding in combination with proxy jump in my ssh config:
Is it possible to make use of DynamicForward from the host used as proxy? Here's my config:
Host proxy
HostName proxy.private.com
User user
IdentityFile ~/path/to/file
DynamicForward 3000
Host target
HostName target.somewhere.com
User user
IdentityFile ~/path/to/file
ProxyJump proxy
It does not work with this config, but this would be exactly what i need.
Any tips on how to get it to work?
If there is nothing preventing you from using ProxyCommand you can most likely use this approach:
In your ~/.ssh/config file:
Host target
HostName target.somewhere.com
User target-user
IdentityFile ~/path/to/target-user-file
ProxyCommand ssh -A <proxy-user>#<proxy-host> -i <proxy-user-key> -W %h:%p
DynamicForward 3000
You can then run this command on your local machine:
ssh target -D 3000
I was able to test this by running this command locally and retreiving public IP of the target host:
curl -x socks5h://localhost:3000 https://ifconfig.me/
Usefull links I read:
More details on these use cases can be found here
Detail on this very approach can be found on this site (sadly not in english nor HTTPS)
You can probably define another Host on top to avoid having to mess with ssh parameter each time. This would be done by using CanonicalizeHostname, but I couldn't manage to it. An alias might be more interesting at that point ?
I'm on my work computer, which is already [successfully] configured to connect to our GitHub account and authenticate our commits using SSH and GPG keys, respectively. Before I began changing things, my original ~/.ssh/config file was this:
Host *
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_rsa
To add my personal account, I generated a new SSH key (~/.ssh/id_rsa_personal), added the .pub part to my personal GitHub account, and modified my ~/.ssh/config file to the following:
# Default
Host *
AddKeysToAgent yes
UseKeychain yes
# Personal
Host github.com-PERSONAL
HostName github.com
User git
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_rsa_personal
# Work
Host github.com
HostName github.com
IdentityFile ~/.ssh/id_rsa
After this change, I am still able to interact with my work account without a problem – nothing has changed. However, when I attempt to interact with my personal account using
git clone git#github-PERSONAL:nikblanchet/myrepository.git
, I am getting an error message:
Cloning into 'myrepository'...
ssh: Could not resolve hostname github-personal: nodename nor servname provided, or not known
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
To narrow down the issue, I decided to try a simple SSH authentication
ssh -T git#github.com-PERSONAL
, and, surprisingly, it worked!
Hi nikblanchet! You've successfully authenticated, but GitHub does not provide shell access.
(Running ssh -T git#github.com authenticated with my work account, as expected.)
So now I'm lost. Why can ssh -T resolve the hostname while git clone cannot? What did I miss?
You URL should be:
github.com-PERSONAL:nikblanchet/myrepository.git
You tried first
git#github-PERSONAL:nikblanchet/myrepository.git
That is why it was not able to resolve github-PERSONAL, which is not in your config file.
github.com-PERSONAL is.
Note: no need to add the git# part: your config file does specify the User git already.
I have some problems with the ssh proxycommand. The authentication on the proxy works fine, but when i want to login to the remote-host it fails. The problem seems to be, that the proxy tries to login with my local rsa_key and not with the key stored on the proxy. Is there a way to fix this?
This is what I want:
Local -- local rsa --> Proxy -- proxy rsa --> host
The Config-file I use:
Host 192.168.178.32
HostName 192.168.178.32
User user
Port 22
IdentityFile ~/.ssh/id_rsa.pub
Host 192.168.178.30
HostName 192.168.178.30
User user
Port 22
IdentityFile home/user/.ssh/id_rsa.pub
ProxyCommand ssh -W %h:%p -F ssh_config -p 22 192.168.178
The problem seems to be, that the proxy tries to login with my local rsa_key and not with the key stored on the proxy.
Yes. It does. It is by design. You don't want to copy private keys over to the proxies. Proxy command will always authenticate from your local host.
There are twa ways out:
Copy the key to your local host and configure it to be used.
Don't use ProxyCommand and do the simple ssh:
ssh -t proxy ssh host
it will use the authentication from the second host