In which order does OpenSSH try private keys?
Solution 1:
I know about the -v, -vv etc. options, but I'd like to know before I try how ssh is going to behave. There must be a saner method to find out than trial and error.
Use the source, Luke!
OpenSSH is open source so instead of trial-error, you can read the code to get better understanding what is going on there. ssh.c
is a good place to start. It has a function load_public_identity_files(void)
, which takes care of this. In the first place, the keys from PKCS#11 (Smartcard, HSM) are used:
(nkeys = pkcs11_add_provider(options.pkcs11_provider, NULL,
and then the keys provided by options.identity_files
:
for (i = 0; i < options.num_identity_files; i++) {
This variable is set in readconf.c
:
if (options->num_identity_files == 0) {
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_RSA, 0);
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0);
#ifdef OPENSSL_HAS_ECC
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0);
#endif
add_identity_file(options, "~/",
_PATH_SSH_CLIENT_ID_ED25519, 0);
}
The real paths of the files are defined in pathnames.h
:
#define _PATH_SSH_USER_DIR ".ssh"
[...]
#define _PATH_SSH_CLIENT_ID_DSA _PATH_SSH_USER_DIR "/id_dsa"
#define _PATH_SSH_CLIENT_ID_ECDSA _PATH_SSH_USER_DIR "/id_ecdsa"
#define _PATH_SSH_CLIENT_ID_RSA _PATH_SSH_USER_DIR "/id_rsa"
#define _PATH_SSH_CLIENT_ID_ED25519 _PATH_SSH_USER_DIR "/id_ed25519"
To the background question:
This is exactly why the IdentitiesOnly
option exists and why you should use it in the ~/.ssh/config
if you have more than one key to manage. The ssh-agent
identities are used after the default ones.
Solution 2:
If you want to see how SSH client tries private keys for authenticating against a server, you can run it with -v option.
In my case it looks like:
debug1: Trying private key: /Users/atolkachev/.ssh/id_rsa
debug1: Trying private key: /Users/atolkachev/.ssh/id_dsa
debug1: Trying private key: /Users/atolkachev/.ssh/id_ecdsa
debug1: Trying private key: /Users/atolkachev/.ssh/id_ed25519