5

How can I specify the order in which OpenSSH's SSH client (OpenSSH_7.5p1, OpenSSL 1.0.2k 26 Jan 2017; Git for Windows v2.11.1) offers the public/private key pairs to a SSH compliant daemon such as Apache Mina SSHD (Gerrit Code Review service). My intention is to try to authenticate with an Ed25519 public/private key pair before falling back to RSA.

Given the following standard Ed25519 and RSA public/private key pairs below the user's home directory:

  • ~/.ssh/id_ed25519{,.pub}
  • ~/.ssh/id_rsa{,.pub}

and the following Host sections in the user's SSH configuration file (~/.ssh/config):

Host foobar foobar.example.com
  Hostname foobar.example.com
  IdentityFile ~/.ssh/id_ed25519

Host *
  IdentityFile ~/.ssh/id_ed25519
  IdentityFile ~/.ssh/id_rsa

when testing the SSH connection in debug mode:

$ ssh -Tv bob@foobar
debug1: Reading configuration data ~/.ssh/config
debug1: ~/.ssh/config line 49: Applying options for foobar
debug1: ~/.ssh/config line 63: Applying options for *
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: ~/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Offering ED25519 public key: ~/.ssh/id_ed25519
debug1: Server accepts key: pkalg ssh-ed25519 blen 51
debug1: Authentication succeeded (publickey).

I can see that OpenSSH's SSH client offers the RSA public/private key pair first. But why not first Ed25519?

Improve this question
4
  • 1
    Are both keys held by an SSH agent? Commented Jul 23, 2018 at 15:41
  • The reason I ask about the SSH agent is that OpenSSH offers keys from the agent first. Commented Jul 23, 2018 at 16:00
  • Yes, both keys are automatically added to a SSH agent after one was started during initialization of a Bash shell by one of its startup files. Commented Jul 23, 2018 at 18:20
  • 2
    Meanwhile I found the following exhaustive explanation: utcc.utoronto.ca/~cks/space/blog/sysadmin/SSHIdentitiesOffered Commented Jul 23, 2018 at 18:54

1 Answer 1

Reset to default
5

Add IdentitiesOnly option. Without this option SSH tries first default ssh-keys available: id_rsa, id_dsa, id_ecdsa. To change this behaviour replace your config with this one:

Host foobar foobar.example.com
  Hostname foobar.example.com
  IdentityFile ~/.ssh/id_ed25519
  IdentitiesOnly yes

Host *
  IdentityFile ~/.ssh/id_ed25519
  IdentityFile ~/.ssh/id_rsa
  IdentitiesOnly yes
Improve this answer
2
  • Isn't the one IdentitiesOnly yessetting in the fallback section (Host *) enough for it to become effective in more host-specific sections? Commented Jul 23, 2018 at 18:59
  • @TimFriske You have put this option to every Host section with IdentityFile defined. Commented Jul 23, 2018 at 19:01

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.