Public bug reported: (I'm using Ubuntu 10.10 amd64) (batr...@neverwinter:~$ apt-cache policy ssh ssh: Installed: 1:5.5p1-4ubuntu4 Candidate: 1:5.5p1-4ubuntu4)
If the ~/.ssh/config file contains an IdentityFile, then ssh will ignore the one given on the command line switch (but still open and read it following strace). For example: batr...@neverwinter:~$ cat $HOME/.ssh/config CheckHostIP yes Compression no ConnectionAttempts 1 ConnectTimeout 5 HashKnownHosts yes HostKeyAlgorithms ssh-rsa IdentityFile ~/.ssh/id_rsa UserKnownHostsFile ~/.ssh/known_hosts PreferredAuthentications password,keyboard-interactive,publickey Using this command: batr...@neverwinter:~$ ssh -i /home/batrick/.ssh/id_rsa.subversion batr...@svn.batbytes.com svnserve -t The .ssh/id_rsa.subversion private key is unencrypted and used exclusively for secure svn access to my server (the authorized_keys on the server only allows executing svnserve). I also have another encrypted key (the usual .ssh/id_rsa) that I use to ssh into the box for general use. The above command *always* tries to use this .ssh/id_rsa private key despite my specifying the -i switch on the command line. Here is the debug output for the above command with -v for verbose output: batr...@neverwinter:~$ ssh -v -i /home/batrick/.ssh/id_rsa.subversion batr...@svn.batbytes.com svnserve -t OpenSSH_5.5p1 Debian-4ubuntu4, OpenSSL 0.9.8o 01 Jun 2010 debug1: Reading configuration data /home/batrick/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to svn.batbytes.com [72.14.184.61] port 22. debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug1: identity file /home/batrick/.ssh/id_rsa.subversion type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-4096 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-4096 debug1: identity file /home/batrick/.ssh/id_rsa.subversion-cert type -1 debug1: identity file /home/batrick/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-4096 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-4096 debug1: identity file /home/batrick/.ssh/id_rsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5 debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu4 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'svn.batbytes.com' is known and matches the RSA host key. debug1: Found key in /home/batrick/.ssh/known_hosts:25 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/batrick/.ssh/id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 533 debug1: Authentication succeeded (publickey). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessi...@openssh.com debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 debug1: Sending command: svnserve -t ( success ( 2 2 ( ) ( edit-pipeline svndiff1 absent-entries commit-revprops depth log-revprops partial-replay ) ) ) ^Cdebug1: channel 0: free: client-session, nchannels 1 debug1: Killed by signal 2. You can see when the actual negotiation takes place it sends the public key for /home/batrick/.ssh/id_rsa instead of /home/batrick/id_rsa.subversion. I would argue this is a bug since a command line switch should always override a config file. For completeness, I'll show that commenting out that config file line solves the problem: batr...@neverwinter:~$ cat .ssh/config CheckHostIP yes Compression no ConnectionAttempts 1 ConnectTimeout 5 HashKnownHosts yes HostKeyAlgorithms ssh-rsa #IdentityFile ~/.ssh/id_rsa UserKnownHostsFile ~/.ssh/known_hosts PreferredAuthentications password,keyboard-interactive,publickey batr...@neverwinter:~$ ssh -v -i /home/batrick/.ssh/id_rsa.subversion batr...@svn.batbytes.com svnserve -t OpenSSH_5.5p1 Debian-4ubuntu4, OpenSSL 0.9.8o 01 Jun 2010 debug1: Reading configuration data /home/batrick/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to svn.batbytes.com [72.14.184.61] port 22. debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug1: identity file /home/batrick/.ssh/id_rsa.subversion type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-4096 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-4096 debug1: identity file /home/batrick/.ssh/id_rsa.subversion-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5 debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu4 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'svn.batbytes.com' is known and matches the RSA host key. debug1: Found key in /home/batrick/.ssh/known_hosts:25 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/batrick/.ssh/id_rsa.subversion debug1: Remote: Forced command: svnserve --tunnel --tunnel-user batrick --root /home/batrick/subversion/batrick debug1: Remote: Agent forwarding disabled. debug1: Remote: Port forwarding disabled. debug1: Remote: Pty allocation disabled. debug1: Remote: User rc file execution disabled. debug1: Remote: X11 forwarding disabled. debug1: Server accepts key: pkalg ssh-rsa blen 533 debug1: Remote: Forced command: svnserve --tunnel --tunnel-user batrick --root /home/batrick/subversion/batrick debug1: Remote: Agent forwarding disabled. debug1: Remote: Port forwarding disabled. debug1: Remote: Pty allocation disabled. debug1: Remote: User rc file execution disabled. debug1: Remote: X11 forwarding disabled. debug1: Authentication succeeded (publickey). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessi...@openssh.com debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 debug1: Sending command: svnserve -t ( success ( 2 2 ( ) ( edit-pipeline svndiff1 absent-entries commit-revprops depth log-revprops partial-replay ) ) ) ^Cdebug1: channel 0: free: client-session, nchannels 1 debug1: Killed by signal 2. ** Affects: openssh (Ubuntu) Importance: Undecided Status: New -- ssh does not honor -i switch with config file https://bugs.launchpad.net/bugs/673313 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs