Public bug reported: "man ssh_config" claims that the "IdentityFile"s will be tried in sequence:
IdentityFile Specifies a file from which the user's DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, authenticator-hosted Ed25519 or RSA au‐ thentication identity is read. The default is ~/.ssh/id_rsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, ~/.ssh/id_ed25519_sk and ~/.ssh/id_dsa. Additionally, any identities represented by the authentication agent will be used for authentication unless IdentitiesOnly is set. If no certificates have been explicitly specified by CertificateFile, ssh(1) will try to load certificate information from the filename obtained by appending -cert.pub to the path of a specified IdentityFile. Arguments to IdentityFile may use the tilde syntax to refer to a user's home directory or the tokens described in the TOKENS sec‐ tion. It is possible to have multiple identity files specified in configuration files; all these identities will be tried in sequence. Multiple IdentityFile directives will add to the list of identities tried (this behaviour differs from that of other configura‐ tion directives). IdentityFile may be used in conjunction with IdentitiesOnly to select which identities in an agent are offered during authentica‐ tion. IdentityFile may also be used in conjunction with CertificateFile in order to provide any certificate also needed for au‐ thentication with the identity. Yet it doesn't try them in the order specified ("id_ed25519-postfix" comes before "id_ed25519" in my "~/.ssh/config"): debug1: Connection established. debug1: identity file /home/user/.ssh/id_ed25519-postfix type 3 debug1: identity file /home/user/.ssh/id_ed25519-postfix-cert type -1 debug1: identity file /home/user/.ssh/id_ed25519 type 3 debug1: identity file /home/user/.ssh/id_ed25519-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3 ... debug1: Will attempt key: /home/user/.ssh/id_ed25519 ED25519 SHA256:<redacted> explicit agent debug1: Will attempt key: /home/user/.ssh/id_ed25519-postfix ED25519 SHA256:<redacted> explicit agent This causes the wrong key to be used for log in. This is especially problematic when using Git over SSH, which causes the server to report repository doesn't exist as the username are the same and the key dictates the account being logged in, and instead of getting a permission denied the server would give out a more confusing message, misleading the direction the user goes to debug. Ubuntu 22.04.1 with openssh-client 1:8.9p1-3 ** Affects: openssh (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1991427 Title: ssh doesn't offer identity files in the right order Status in openssh package in Ubuntu: New Bug description: "man ssh_config" claims that the "IdentityFile"s will be tried in sequence: IdentityFile Specifies a file from which the user's DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, authenticator-hosted Ed25519 or RSA au‐ thentication identity is read. The default is ~/.ssh/id_rsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, ~/.ssh/id_ed25519_sk and ~/.ssh/id_dsa. Additionally, any identities represented by the authentication agent will be used for authentication unless IdentitiesOnly is set. If no certificates have been explicitly specified by CertificateFile, ssh(1) will try to load certificate information from the filename obtained by appending -cert.pub to the path of a specified IdentityFile. Arguments to IdentityFile may use the tilde syntax to refer to a user's home directory or the tokens described in the TOKENS sec‐ tion. It is possible to have multiple identity files specified in configuration files; all these identities will be tried in sequence. Multiple IdentityFile directives will add to the list of identities tried (this behaviour differs from that of other configura‐ tion directives). IdentityFile may be used in conjunction with IdentitiesOnly to select which identities in an agent are offered during authentica‐ tion. IdentityFile may also be used in conjunction with CertificateFile in order to provide any certificate also needed for au‐ thentication with the identity. Yet it doesn't try them in the order specified ("id_ed25519-postfix" comes before "id_ed25519" in my "~/.ssh/config"): debug1: Connection established. debug1: identity file /home/user/.ssh/id_ed25519-postfix type 3 debug1: identity file /home/user/.ssh/id_ed25519-postfix-cert type -1 debug1: identity file /home/user/.ssh/id_ed25519 type 3 debug1: identity file /home/user/.ssh/id_ed25519-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3 ... debug1: Will attempt key: /home/user/.ssh/id_ed25519 ED25519 SHA256:<redacted> explicit agent debug1: Will attempt key: /home/user/.ssh/id_ed25519-postfix ED25519 SHA256:<redacted> explicit agent This causes the wrong key to be used for log in. This is especially problematic when using Git over SSH, which causes the server to report repository doesn't exist as the username are the same and the key dictates the account being logged in, and instead of getting a permission denied the server would give out a more confusing message, misleading the direction the user goes to debug. Ubuntu 22.04.1 with openssh-client 1:8.9p1-3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1991427/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp