Generalize and refine SSH config proposed in README #12
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The IdentityFile value may contain parameters, like %h for the name
of the remote server. Using these parameters allows to look for keys
based on the name of the remote host, for example, connecting to
'whoami.filippo.io' will result in lookups for the following keys:
IdentityFile ~/.ssh/whoami.filippo.io.rsa
IdentityFile ~/.ssh/whoami.filippo.io.dsa
IdentityFile ~/.ssh/whoami.filippo.io.ecdsa
Fortunately, there is no need to set PubkeyAuthentication to no
in the general context of 'Host *' when using a generic configuration
for one key per server with parameters, also defined in the general
context of 'Host *'. Otherwise, usage of SSH keys would be forbidden
altogether.
I have set up an experiment with the SSH server whoami.filippo.io
to verify whether the leaking happened.
For reference, I am running the default SSH client on Ubuntu 12.04 LTS:
OpenSSH_5.9p1 Debian-5ubuntu1.7, OpenSSL 1.0.1 14 Mar 2012
Using the following configuration in ~/.ssh/config:
Host *
# Only use identity files, not any identity loaded in ssh-agent
#IdentitiesOnly yes
# Define pattern for the names of identity files by host
IdentityFile %d/.ssh/%h.rsa
IdentityFile %d/.ssh/%h.dsa
IdentityFile %d/.ssh/%h.ecdsa
with 'IdentitiesOnly yes' commented out, I ran `ssh whoami.filippo.io`
with my GitHub keys present in `id_rsa` and `id_rsa.pub`, et not present
in any other key (github.com.rsa et github.com.rsa.pub were removed).
The whosthere server successfully found my GitHub user name.
(and the result is the same with IdentitiesOnly set explicitly to no).
I then uncommented the line 'IdentitiesOnly yes' and ran the same command
`ssh whoami.filippo.io`, still with my GitHub keys only present as `id_rsa`
and `id_rsa.pub`, and the server failed to find my GitHub identity this time.
The conclusion of this experiment is that, when a key has been configured
explicitly using IdentityFile for the current host, and IdentitiesOnly is
set to yes, the default keys (id_rsa, ...) are not proposed to the server.
The option 'PubkeyAuthentication no' remains useful, however,
when IdentityFile directives are only given for a list of known servers,
and the default keys would be sent when connecting to an unknown server.
The 'IdentitiesOnly yes' directive is defined in a more general block 'Host *' above. Repeating it in a more specific block would have no effect, whether set to yes or no, cf `man ssh_config`: "For each parameter, the first obtained value will be used."
Quoting `man ssh_config`: "For each parameter, the first obtained value will be used. (...) Since the first obtained value for each parameter is used, more host-spe‐ cific declarations should be given near the beginning of the file, and general defaults at the end."
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I propose to use the host name parameter
%hto define a single, general configuration for separate keys for each host.Also, I clarified usage of
PubkeyAuthenticationandIdentitiesOnly: it is not necessary to disablePubkeyAuthenticationcompletely whenIdentitiesOnlyis set tonoand a general configuration is in place to define explicitIdentityFileoptions for any server.