In which order does OpenSSH try private keys?

Solution 1:

I know about the -v, -vv etc. options, but I'd like to know before I try how ssh is going to behave. There must be a saner method to find out than trial and error.

Use the source, Luke!

OpenSSH is open source so instead of trial-error, you can read the code to get better understanding what is going on there. ssh.c is a good place to start. It has a function load_public_identity_files(void), which takes care of this. In the first place, the keys from PKCS#11 (Smartcard, HSM) are used:

(nkeys = pkcs11_add_provider(options.pkcs11_provider, NULL,

and then the keys provided by options.identity_files:

for (i = 0; i < options.num_identity_files; i++) {

This variable is set in readconf.c:

if (options->num_identity_files == 0) {
    add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_RSA, 0);
    add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0);
#ifdef OPENSSL_HAS_ECC
    add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0);
#endif
    add_identity_file(options, "~/",
        _PATH_SSH_CLIENT_ID_ED25519, 0);
}

The real paths of the files are defined in pathnames.h:

#define _PATH_SSH_USER_DIR  ".ssh"
[...]
#define _PATH_SSH_CLIENT_ID_DSA     _PATH_SSH_USER_DIR "/id_dsa"
#define _PATH_SSH_CLIENT_ID_ECDSA   _PATH_SSH_USER_DIR "/id_ecdsa"
#define _PATH_SSH_CLIENT_ID_RSA     _PATH_SSH_USER_DIR "/id_rsa"
#define _PATH_SSH_CLIENT_ID_ED25519 _PATH_SSH_USER_DIR "/id_ed25519"

To the background question:

This is exactly why the IdentitiesOnly option exists and why you should use it in the ~/.ssh/config if you have more than one key to manage. The ssh-agent identities are used after the default ones.

Solution 2:

If you want to see how SSH client tries private keys for authenticating against a server, you can run it with -v option.

In my case it looks like:

debug1: Trying private key: /Users/atolkachev/.ssh/id_rsa
debug1: Trying private key: /Users/atolkachev/.ssh/id_dsa
debug1: Trying private key: /Users/atolkachev/.ssh/id_ecdsa
debug1: Trying private key: /Users/atolkachev/.ssh/id_ed25519