Using the IdentityFile directive in ssh_config when AgentForwarding is in use
Is it possible to specify forwarded keys using the IdentityFile directive in .ssh/config?
I ran into this quirk when trying to deploy some code via Capistrano/GIT on our production server. Both my personal and my work GIT keys are always loaded in my SSH agent and it just so happened that my personal key was added to the agent first. I use agent forwarding when deploying with Capistrano so when the host tried to authenticate the `git pull` operation it failed with the following error:
ERROR: Permission to `some repo` denied to `your user`.
because it attempted to authenticate using my personal git key before trying the appropriate key (which came later in the ssh agent) and assumed that I was accessing a foreign repo which I don't have permission to access. I can potentially just give my personal user access to every work repo but on my local machine I can get around this problem by defining custom domains in .ssh/config like so:
Host personal.github.com
Hostname github.com
User git
IdentityFile ~/.ssh/some_key
Host work.github.com
Hostname github.com
User git
IdentityFile ~/.ssh/some_other_key
and this way git never gets confused. Is it possible to create .ssh/config rules for forwarded keys on my production boxes so they always know which key to use when pulling in new code? Basically I want to be able to do:
Host work.github.com
Hostname github.com
User git
IdentityFile some_forwarded_key
Thanks!
Solution 1:
You can use the public part of a key to to specify which private key you want to use from the forwarded agent. This requires creating an extra file (the public part of the key) on any “intermediate” machines (machines to which you forward your local ssh-agent).
-
Arrange for the intermediate machine to have a copy of the public part of the desired key in a convenient location (e.g.
~/.ssh/some_other_key.pub
).From any machine that already has the public part of the key:
scp some_other_key.pub intermediate:.ssh/
or, on the intermediate machine:
ssh-add -L | grep something_unique > ~/.ssh/some_other_key.pub
You may want to edit the trailing “comment” part of the public key to better identify the key’s origin/owner/purpose (or attempt to hide the same).
Use the pathname to the above public key file with
-i
orIdentityFile
.You may also need to use
IdentitiesOnly yes
(in.ssh/config
or-o
) to keep ssh from trying to offer any additional identities from your forwarded agent.