| View previous topic :: View next topic |
| Author |
Message |
meyerm
Veteran
Joined: 27 Jun 2002
Posts: 1311
Location: Munich / Germany
|
 Posted: Fri Mar 12, 2010 1:36 pm Post subject: limit ssh-agent to known hosts [SOLVED] |
 |
|
Hi,
I'm using password encrypted ssh-keys to authenticate on a lot of servers. Depending on the group (like company A, company B, university, private, etc.) I'm using a different key with different passwords. So ssh-agent is a very nice helper.
But when I now try to connect to a server which didn't get configured in my .ssh/config and want to login by using a simple password, ssh-agent first tries all my rsa-keys which leads to "too many authentication errors" in the end. So I have to use "-o PreferredAuthentications=password" whenever I face such a server. Using "Host *" and this option in .ssh/config does not work since it will match really all servers and not only not configured ones.
So, how can I tell ssh (or better: ssh-agent) to NOT try my keys on an unknown server or even better just try the default certificate ~/.ssh/id_rsa and ignore the rest (which are lying in project-folders, btw.)?
Thanks,
M
Last edited by meyerm on Fri Mar 12, 2010 2:17 pm; edited 1 time in total |
|
| Back to top |
|
 |
malern
Apprentice
Joined: 19 Oct 2006
Posts: 170
|
| Posted: Fri Mar 12, 2010 1:56 pm Post subject: |
|
|
| Try adding "IdentitiesOnly yes" to your ssh_config file. That should force ssh to use the key from ~/.ssh/id_rsa and ignore the rest. |
|
| Back to top |
|
|
meyerm
Veteran
Joined: 27 Jun 2002
Posts: 1311
Location: Munich / Germany
|
| Posted: Fri Mar 12, 2010 2:17 pm Post subject: |
|
|
Great, thank you! Looks exactly like what I wanted  |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23066
|
| Posted: Sat Mar 13, 2010 3:28 am Post subject: |
|
|
If you can write expressions that match the known machines, you can write an ssh_config of the form: | Code: |
Host *.university
IdentityFile ~/.ssh/id_university
PreferredAuthentications publickey
Host *.private
IdentityFile ~/.ssh/id_personal
PreferredAuthentications publickey
Host *
PreferredAuthentications password |
Since ssh works on a first-match-wins basis, it will honour the publickey request for hosts matching *.university and *.private, and fall through to the wildcard password request for other hosts. This approach depends on the known hosts having sufficient commonality that you can match them without needing exhaustive host lists. The IdentitiesOnly option looks ideal here, but I wanted to point this out in case you encounter other settings where you want one default for unknown hosts and a different default for known ones. For example, you might want to forward X11 connections any time you connect to a known host, but not when you connect to an unknown host. |
|
| Back to top |
|
|
meyerm
Veteran
Joined: 27 Jun 2002
Posts: 1311
Location: Munich / Germany
|
| Posted: Sat Mar 13, 2010 1:48 pm Post subject: |
|
|
Thank you very much for sharing your experience!
| Hu wrote: | | If you can write expressions that match the known machines, you can write an ssh_config of the form... |
That's exactly what I did in the beginning. Well, not exactly, I have a "Host alias"-entry for all of the hosts (since I have a few different settings, beginning with User and ending with ProxyCommand for several of them) and not a wildcard for each group. But...
| Hu wrote: | | Since ssh works on a first-match-wins basis, |
...this didn't work for me. I have the "Host *" entry at the end of the file and now even my manually configured hosts are asked for a password-authentication (which will fail with most of them). Shouldn't hosts with a fitting alias match and therefore ignore the "Host *"-settings?
My conclusion was that "Host *" will always be used, not on a first-match but on a rules-for-all basis. Perhaps I did sth. wrong? I'm on openssh 5.4_p1. |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23066
|
| Posted: Sat Mar 13, 2010 5:49 pm Post subject: |
|
|
| meyerm wrote: | | That's exactly what I did in the beginning. Well, not exactly, I have a "Host alias"-entry for all of the hosts (since I have a few different settings, beginning with User and ending with ProxyCommand for several of them) and not a wildcard for each group. But... |
It is legal to have multiple Host stanzas match the same machine. You could write: | Code: |
Host *.university
User mystudentname
Host edge.university
LocalForward 9234:127.0.0.1:9234 |
This would use mystudentname for all hosts at university. It would also use a port forwarding for edge.university, but not for any other system in the .university domain.
| meyerm wrote: | | Hu wrote: | | Since ssh works on a first-match-wins basis, |
...this didn't work for me. I have the "Host *" entry at the end of the file and now even my manually configured hosts are asked for a password-authentication (which will fail with most of them). Shouldn't hosts with a fitting alias match and therefore ignore the "Host *"-settings?
My conclusion was that "Host *" will always be used, not on a first-match but on a rules-for-all basis. Perhaps I did sth. wrong? I'm on openssh 5.4_p1. |
First match wins for each option. Since you put PreferredAuthentications password in the Host * block, every host which should not use password authentication must match a prior block which explicitly states PreferredAuthentications publickey. It is not sufficient to write: | Code: | Host known
User myname
Host *
PreferredAuthentications password |
and expect to have Host known ignore the options in the Host * block. Instead, write it as I showed before. This is a bit more verbose, unfortunately. However, you can use the ability to specify multiple globs to minimize repeated blocks. You could write: | Code: | Host *.university *.personal *.work
PreferredAuthentications publickey
ForwardX11 yes
ControlMaster auto
Host *.university
User mystudentname
Host *.personal
User myprivatename
ForwardX11Trusted yes
Host *.work
User myemployeename
Host *
PreferredAuthentications password
ForwardX11 no |
|
|
| Back to top |
|
|
meyerm
Veteran
Joined: 27 Jun 2002
Posts: 1311
Location: Munich / Germany
|
| Posted: Sun Mar 14, 2010 11:57 am Post subject: |
|
|
| Hu wrote: | | It is legal to have multiple Host stanzas match the same machine. ... First match wins for each option. |
Ah! Now everything makes sense.
Thank you very much for the very detailed and elaborated answer. |
|
| Back to top |
|
|
|
Networking & Security
