[Bug 1991427] Re: ssh doesn't offer identity files in the right order

Launchpad Bug Tracker 1991427 at bugs.launchpad.net
Sat Dec 3 04:17:19 UTC 2022 

[Expired for openssh (Ubuntu) because there has been no activity for 60
days.]

** Changed in: openssh (Ubuntu)
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1991427

Title:
  ssh doesn't offer identity files in the right order

Status in openssh package in Ubuntu:
  Expired

Bug description:
  "man ssh_config" claims that the "IdentityFile"s will be tried in
  sequence:

  IdentityFile
          Specifies a file from which the user's DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, authenticator-hosted Ed25519 or RSA au‐
          thentication identity is read.  The default is ~/.ssh/id_rsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519,
          ~/.ssh/id_ed25519_sk and ~/.ssh/id_dsa.  Additionally, any identities represented by the authentication agent will be used for
          authentication unless IdentitiesOnly is set.  If no certificates have been explicitly specified by CertificateFile, ssh(1) will
          try to load certificate information from the filename obtained by appending -cert.pub to the path of a specified IdentityFile.

          Arguments to IdentityFile may use the tilde syntax to refer to a user's home directory or the tokens described in the TOKENS sec‐
          tion.

          It is possible to have multiple identity files specified in configuration files; all these identities will be tried in sequence.
          Multiple IdentityFile directives will add to the list of identities tried (this behaviour differs from that of other configura‐
          tion directives).

          IdentityFile may be used in conjunction with IdentitiesOnly to select which identities in an agent are offered during authentica‐
          tion.  IdentityFile may also be used in conjunction with CertificateFile in order to provide any certificate also needed for au‐
          thentication with the identity.

  Yet it doesn't try them in the order specified ("id_ed25519-postfix"
  comes before "id_ed25519" in my "~/.ssh/config"):

  debug1: Connection established.
  debug1: identity file /home/user/.ssh/id_ed25519-postfix type 3
  debug1: identity file /home/user/.ssh/id_ed25519-postfix-cert type -1
  debug1: identity file /home/user/.ssh/id_ed25519 type 3
  debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
  debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3
  ...
  debug1: Will attempt key: /home/user/.ssh/id_ed25519 ED25519 SHA256:<redacted> explicit agent
  debug1: Will attempt key: /home/user/.ssh/id_ed25519-postfix ED25519 SHA256:<redacted> explicit agent

  This causes the wrong key to be used for log in.  This is especially
  problematic when using Git over SSH, which causes the server to report
  repository doesn't exist as the username are the same and the key
  dictates the account being logged in, and instead of getting a
  permission denied the server would give out a more confusing message,
  misleading the direction the user goes to debug.

  Ubuntu 22.04.1 with openssh-client 1:8.9p1-3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1991427/+subscriptions

More information about the foundations-bugs mailing list