IdentitiesOnly + ssh-agent

I’m really hoping that someone can provide me with some enlightenment.

I have a lot of ssh keys. 6 by today’s count. On my desktop I have my ssh configured with IdentitiesOnly yes and an IdentityFile for each host. This works great.

I then forward my agent to my dev VM. I can see the keys with ssh-add -l. So far so good. If I then ssh into a host, I can see it trying every key from the agent in sequence, which is sometimes going to fail with too many keys tried. However, if I try IdentitiesOnly yes in my dev VM config, it doesn’t offer any keys, if I add IdentityFile it doesn’t work because I don’t have those key files on my VM.

So what’s the solution? What I want is to specify identities by their identifier in the agent, e.g. danni@github, however I can’t see config to do that. Anyone got a nifty solution?

Author: Danielle

Danielle is an Australian software engineer, computer scientist and feminist. She doesn't really work on GNOME any more (sadly). Opinions and writing are solely her own and so not represent her employer, the GNOME Foundation, or anyone else but herself.

8 thoughts on “IdentitiesOnly + ssh-agent”

  1. Run an agent per key, and have some script to set SSH_AUTH_SOCK on your PC? Or do you need all the keys?

  2. you will have to set `IdentityFile` for the `Host` you need. e.g.:

    Host *.gnome.org
    IdentityFile ~/.ssh/id_gnome

    (as you see, you can use wildcards.)

  3. @Tobias: the problem is those IdentityFile’s don’t exist on the VM and so it doesn’t work.

  4. @Matt: hmm, kind of gross, especially because I was hoping to continue to use GNOME’s keyring management to authorize my key access. I do need at least two of them on the VM.

  5. “I have a lot of ssh keys. 6 by today‚Äôs count.”

    Patient: “Doctor, it hurts when I do this.”

    Doctor: “well don’t do it then.”

  6. You do need to set IdentityFile, which you can use even without the file present – I use this daily as well. As long as the paths match up to the paths that you get with ssh-add -l, it should work.

  7. I’ve solved this by always using the public key in the IdentityFile directive, eg. “IdentityFile ~/.ssh/id_rsa.gitorious.pub”. In this way I can push only the public key to the VM to make IdentityFile work.

    I don’t use IdentitiesOnly since setting IdentityFile for each host has been enough for me.

Comments are closed.

Leave a Reply

Your email address will not be published. Required fields are marked *