Public bug reported:
(I'm using Ubuntu 10.10 amd64)
(batr...@neverwinter:~$ apt-cache policy ssh
ssh:
Installed: 1:5.5p1-4ubuntu4
Candidate: 1:5.5p1-4ubuntu4)
If the ~/.ssh/config file contains an IdentityFile, then ssh will ignore
the one given on the command line switch (but still open and read it
following strace). For example:
batr...@neverwinter:~$ cat $HOME/.ssh/config
CheckHostIP yes
Compression no
ConnectionAttempts 1
ConnectTimeout 5
HashKnownHosts yes
HostKeyAlgorithms ssh-rsa
IdentityFile ~/.ssh/id_rsa
UserKnownHostsFile ~/.ssh/known_hosts
PreferredAuthentications password,keyboard-interactive,publickey
Using this command:
batr...@neverwinter:~$ ssh -i /home/batrick/.ssh/id_rsa.subversion
batr...@svn.batbytes.com svnserve -t
The .ssh/id_rsa.subversion private key is unencrypted and used
exclusively for secure svn access to my server (the authorized_keys on
the server only allows executing svnserve). I also have another
encrypted key (the usual .ssh/id_rsa) that I use to ssh into the box for
general use. The above command *always* tries to use this .ssh/id_rsa
private key despite my specifying the -i switch on the command line.
Here is the debug output for the above command with -v for verbose
output:
batr...@neverwinter:~$ ssh -v -i /home/batrick/.ssh/id_rsa.subversion
batr...@svn.batbytes.com svnserve -t
OpenSSH_5.5p1 Debian-4ubuntu4, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/batrick/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to svn.batbytes.com [72.14.184.61] port 22.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /home/batrick/.ssh/id_rsa.subversion type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-4096
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-4096
debug1: identity file /home/batrick/.ssh/id_rsa.subversion-cert type -1
debug1: identity file /home/batrick/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-4096
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-4096
debug1: identity file /home/batrick/.ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1
Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'svn.batbytes.com' is known and matches the RSA host key.
debug1: Found key in /home/batrick/.ssh/known_hosts:25
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/batrick/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 533
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessi...@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending command: svnserve -t
( success ( 2 2 ( ) ( edit-pipeline svndiff1 absent-entries commit-revprops
depth log-revprops partial-replay ) ) ) ^Cdebug1: channel 0: free:
client-session, nchannels 1
debug1: Killed by signal 2.
You can see when the actual negotiation takes place it sends the public key for
/home/batrick/.ssh/id_rsa instead of /home/batrick/id_rsa.subversion. I would
argue this is a bug since a command line switch should always override a config
file.
For completeness, I'll show that commenting out that config file line
solves the problem:
batr...@neverwinter:~$ cat .ssh/config
CheckHostIP yes
Compression no
ConnectionAttempts 1
ConnectTimeout 5
HashKnownHosts yes
HostKeyAlgorithms ssh-rsa
#IdentityFile ~/.ssh/id_rsa
UserKnownHostsFile ~/.ssh/known_hosts
PreferredAuthentications password,keyboard-interactive,publickey
batr...@neverwinter:~$ ssh -v -i /home/batrick/.ssh/id_rsa.subversion
batr...@svn.batbytes.com svnserve -t
OpenSSH_5.5p1 Debian-4ubuntu4, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/batrick/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to svn.batbytes.com [72.14.184.61] port 22.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /home/batrick/.ssh/id_rsa.subversion type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-4096
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-4096
debug1: identity file /home/batrick/.ssh/id_rsa.subversion-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1
Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'svn.batbytes.com' is known and matches the RSA host key.
debug1: Found key in /home/batrick/.ssh/known_hosts:25
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/batrick/.ssh/id_rsa.subversion
debug1: Remote: Forced command: svnserve --tunnel --tunnel-user batrick --root
/home/batrick/subversion/batrick
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Port forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Remote: User rc file execution disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Server accepts key: pkalg ssh-rsa blen 533
debug1: Remote: Forced command: svnserve --tunnel --tunnel-user batrick --root
/home/batrick/subversion/batrick
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Port forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Remote: User rc file execution disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessi...@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending command: svnserve -t
( success ( 2 2 ( ) ( edit-pipeline svndiff1 absent-entries commit-revprops
depth log-revprops partial-replay ) ) ) ^Cdebug1: channel 0: free:
client-session, nchannels 1
debug1: Killed by signal 2.
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
--
ssh does not honor -i switch with config file
https://bugs.launchpad.net/bugs/673313
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
