Select ssh key from ssh-agent?

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Select ssh key from ssh-agent?

Paul Suh-2
Folks,

I’m not sure this is the right place to ask, but I hope someone can point me in the right direction.

When using ssh with keys that are in files on the local host, you can specify which key is used for the connection by using the -i option and giving the path to the key file.

However, if you are loading multiple keys into ssh-agent and forwarding keys to other hosts, there doesn’t seem to be a way to select which key will be presented to the destination by the ssh client. The -i option does not find the original key file of course (since it’s on another machine) and there doesn’t seem to be an option to tell ssh-agent which key to present.

The particular case I’m working with is using git with bitbucket.org, where user accounts are identified by the key. I have two accounts that have two different keys, and when I’m logged into another server via ssh I can only access one BitBucket account since that’s the one whose keys ssh-agent presents first.

I can think of a couple of workarounds, but I also wanted to see if I’m missing something.


—Paul


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Select ssh key from ssh-agent?

Stuart Henderson
On 2020-05-21, Paul Suh <[hidden email]> wrote:
> However, if you are loading multiple keys into ssh-agent and forwarding keys to other hosts, there doesn’t seem to be a way to select which key will be presented to the destination by the ssh client.

See IdentitiesOnly.

> The particular case I’m working with is using git with bitbucket.org, where user accounts are identified by the key. I have two accounts that have two different keys, and when I’m logged into another server via ssh I can only access one BitBucket account since that’s the one whose keys ssh-agent presents first.

You may find it useful to set Host blocks in .ssh/config with
IdentityFile, e.g. (untested but I think it's right):

IdentitiesOnly yes

Host bitbucket-foo
  User git
  HostName bitbucket.org
  IdentityFile ~/.ssh/bb-foo.ed25519
  ControlMaster auto
  ControlPersist 30
  ControlPath /tmp/ssh.bitbucket-foo

Host bitbucket-bar
  User git
  HostName bitbucket.org
  IdentityFile ~/.ssh/bb-bar.ed25519
  ControlMaster auto
  ControlPersist 30
  ControlPath /tmp/ssh.bitbucket-bar


Reply | Threaded
Open this post in threaded view
|

Re: Select ssh key from ssh-agent?

Paul Suh-2


> On May 22, 2020, at 3:35 AM, Stuart Henderson <[hidden email]> wrote:
>
> On 2020-05-21, Paul Suh <[hidden email]> wrote:
>> However, if you are loading multiple keys into ssh-agent and forwarding keys to other hosts, there doesn’t seem to be a way to select which key will be presented to the destination by the ssh client.
>
> See IdentitiesOnly.
>
>> The particular case I’m working with is using git with bitbucket.org, where user accounts are identified by the key. I have two accounts that have two different keys, and when I’m logged into another server via ssh I can only access one BitBucket account since that’s the one whose keys ssh-agent presents first.
>
> You may find it useful to set Host blocks in .ssh/config with
> IdentityFile, e.g. (untested but I think it's right):
>
> IdentitiesOnly yes
>
> Host bitbucket-foo
>  User git
>  HostName bitbucket.org
>  IdentityFile ~/.ssh/bb-foo.ed25519
>  ControlMaster auto
>  ControlPersist 30
>  ControlPath /tmp/ssh.bitbucket-foo
>
> Host bitbucket-bar
>  User git
>  HostName bitbucket.org
>  IdentityFile ~/.ssh/bb-bar.ed25519
>  ControlMaster auto
>  ControlPersist 30
>  ControlPath /tmp/ssh.bitbucket-bar\
Stuart,

Thanks for you kind assistance. Do these go into the .ssh/config file on my local host (where I’m physically typing), on the server that I’m connected to, or both? I haven’t used the ControlMaster option before.


—Paul



smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Select ssh key from ssh-agent?

Stuart Henderson
On 2020/05/22 15:09, Paul Suh wrote:

>
>
> > On May 22, 2020, at 3:35 AM, Stuart Henderson <[hidden email]> wrote:
> >
> > On 2020-05-21, Paul Suh <[hidden email]> wrote:
> >> However, if you are loading multiple keys into ssh-agent and forwarding keys to other hosts, there doesn’t seem to be a way to select which key will be presented to the destination by the ssh client.
> >
> > See IdentitiesOnly.
> >
> >> The particular case I’m working with is using git with bitbucket.org, where user accounts are identified by the key. I have two accounts that have two different keys, and when I’m logged into another server via ssh I can only access one BitBucket account since that’s the one whose keys ssh-agent presents first.
> >
> > You may find it useful to set Host blocks in .ssh/config with
> > IdentityFile, e.g. (untested but I think it's right):
> >
> > IdentitiesOnly yes
> >
> > Host bitbucket-foo
> >  User git
> >  HostName bitbucket.org
> >  IdentityFile ~/.ssh/bb-foo.ed25519
> >  ControlMaster auto
> >  ControlPersist 30
> >  ControlPath /tmp/ssh.bitbucket-foo
> >
> > Host bitbucket-bar
> >  User git
> >  HostName bitbucket.org
> >  IdentityFile ~/.ssh/bb-bar.ed25519
> >  ControlMaster auto
> >  ControlPersist 30
> >  ControlPath /tmp/ssh.bitbucket-bar\
>
> Stuart,
>
> Thanks for you kind assistance. Do these go into the .ssh/config file on my local host (where I’m physically typing), on the server that I’m connected to, or both? I haven’t used the ControlMaster option before.

Ahh I just realised that you might be wanting to use agent-forwarded
keys to connect to bitbucket. What I described should work if you have
local keys on the server where you run the git commands but it's not
using them because it's using a key from the agent that you don't
want it to use - but if you're trying to use one of several agent
keys then I'm not sure if it will be possible.

ControlMaster is optional but if you're running multiple commands
against a server it will keep the session open for a configurable time,
so it will avoid some delays (but if you're doing that you will
need to make sure it uses a different ControlPath for each separate
bitbucket login).

Reply | Threaded
Open this post in threaded view
|

Re: Select ssh key from ssh-agent?

David A. Pocock-2
In reply to this post by Paul Suh-2
Consider:

workstation$ eval $(ssh-agent)
workstation$ ssh-add ~/.ssh/my_primary_key
workstation$ ssh-add ~/.ssh/my_secondary_key
workstation$ ssh-add -l
        xxxx hash /home/user/.ssh/my_primary_key
        xxxx hash /home/user/.ssh/my_secondary_key

workstation$ ssh -A intermediaryhost

intermediaryhost$ ssh-add -l
        xxxx hash /home/user/.ssh/my_primary_key
        xxxx hash /home/user/.ssh/my_secondary_key

intermediaryhost$ ls ~/.ssh/
        <empty>

# So, even though these keys *are not on "intermediaryhost":
intermediaryhost$ ssh -i /home/user/.ssh/my_primary_key targethostA
intermediaryhost$ ssh -i /home/user/.ssh/my_secondary_key targethostB

If you do the above ssh's with -vv you will see like:
debug1: Will attempt key: /home/user/.ssh/my_primary_key RSA hash explicit agent
debug1: Will attempt key: /home/user/.ssh/my_secondary_key RSA hash agent
debug1: Will attempt key: /home/user/.ssh/id_rsa RSA hash explicit

You can go one step further and configure these using Host/IdentityFile
in your ~/.ssh/config *even if the files do not exist on your
intermediary machine*.


Reply | Threaded
Open this post in threaded view
|

Re: Select ssh key from ssh-agent?

Paul Suh-2
On May 22, 2020, at 10:08 PM, David A. Pocock <[hidden email]> wrote:

>
> Consider:
>
> workstation$ eval $(ssh-agent)
> workstation$ ssh-add ~/.ssh/my_primary_key
> workstation$ ssh-add ~/.ssh/my_secondary_key
> workstation$ ssh-add -l
> xxxx hash /home/user/.ssh/my_primary_key
> xxxx hash /home/user/.ssh/my_secondary_key
>
> workstation$ ssh -A intermediaryhost
>
> intermediaryhost$ ssh-add -l
> xxxx hash /home/user/.ssh/my_primary_key
> xxxx hash /home/user/.ssh/my_secondary_key
David,

It doesn’t seem to work. When I do a ssh-add -l I get file paths only for rsa keys, not ecdsa keys. I’m running OpenSSH 8.1 (OpenBSD 6.6 - yes I need to run sysupgrade), 8.1p1 (macOS 10.15.4), and 8.2p1 (Ubuntu server 20.04 LTS).

In any case I tried specifying the original key file paths to ssh on my intermediate server

> ssh -v -i /Users/myusername/.ssh/id_ecdsa [hidden email]


but got the warning:

> Warning: Identity file /Users/myusername/.ssh/id_ecdsa not accessible: No such file or directory.

According to the debug trace, the authentication then went through using a different key from my ssh-agent’s store.


—Paul



smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Select ssh key from ssh-agent?

Paul Suh-2
In reply to this post by Stuart Henderson


> On May 22, 2020, at 11:45 AM, Stuart Henderson <[hidden email]> wrote:
>
> Ahh I just realised that you might be wanting to use agent-forwarded
> keys to connect to bitbucket. What I described should work if you have
> local keys on the server where you run the git commands but it's not
> using them because it's using a key from the agent that you don't
> want it to use - but if you're trying to use one of several agent
> keys then I'm not sure if it will be possible.

Also, I noticed something which I think is working as intended, but seems odd. When I ssh to the intermediate server, I can do an ssh-add on there to load up a key that is only on the intermediate server. That key then is held in the ssh-agent on my workstation.

After I disconnect from the intermediate server, the ssh-agent on my workstation retains the key and can use it for authentication to other hosts. I get why this happens, but it seems a little paradoxical. There also doesn’t seem to be a way to delete the key from the ssh-agent on the workstation after I disconnect (other than using ssh-add -D to blow away all of the keys.)


—Paul


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Select ssh key from ssh-agent?

David A. Pocock-2
In reply to this post by Paul Suh-2
I can't relate; doing this from OpenBSD6.7 to OpenBSD6.7 the ecdsa forward
through and show up via ssh-add without any issues (and allow using the
intermediary host without having the keys present (and being able to choose
keys as per the initial question).

I was also able to do this over to a MacOS system which also handled the
scenario excellently as described above and handled ECDSA just as well.

Reply | Threaded
Open this post in threaded view
|

Re: Select ssh key from ssh-agent?

Markus Wernig
On 5/24/20 3:55 AM, David A. Pocock wrote:
> I can't relate; doing this from OpenBSD6.7 to OpenBSD6.7 the ecdsa forward
> through and show up via ssh-add without any issues (and allow using the
> intermediary host without having the keys present (and being able to choose
> keys as per the initial question).

If you want to use a specific agent-forwarded key on the intermediary
host, you can put the public key (sic!) in a file on the intermediary
host and use that file with the -i option or in the config file. The
private key for doing the signature during authentication is then
automatically selected from the agent.

/m