24

Is it possible to specify forwarded keys using the IdentityFile directive in .ssh/config?

I ran into this quirk when trying to deploy some code via Capistrano/GIT on our production server. Both my personal and my work GIT keys are always loaded in my SSH agent and it just so happened that my personal key was added to the agent first. I use agent forwarding when deploying with Capistrano so when the host tried to authenticate the `git pull` operation it failed with the following error:

ERROR: Permission to `some repo` denied to `your user`.

because it attempted to authenticate using my personal git key before trying the appropriate key (which came later in the ssh agent) and assumed that I was accessing a foreign repo which I don't have permission to access. I can potentially just give my personal user access to every work repo but on my local machine I can get around this problem by defining custom domains in .ssh/config like so:

Host personal.github.com
Hostname github.com
User git
IdentityFile ~/.ssh/some_key

Host work.github.com
Hostname github.com
User git
IdentityFile ~/.ssh/some_other_key

and this way git never gets confused. Is it possible to create .ssh/config rules for forwarded keys on my production boxes so they always know which key to use when pulling in new code? Basically I want to be able to do:

Host work.github.com
Hostname github.com
User git
IdentityFile some_forwarded_key

Thanks!

Improve this question

1 Answer 1

Reset to default
36

You can use the public part of a key to to specify which private key you want to use from the forwarded agent. This requires creating an extra file (the public part of the key) on any “intermediate” machines (machines to which you forward your local ssh-agent).

  1. Arrange for the intermediate machine to have a copy of the public part of the desired key in a convenient location (e.g. ~/.ssh/some_other_key.pub).

    From any machine that already has the public part of the key:

    scp some_other_key.pub intermediate:.ssh/

    or, on the intermediate machine:

    ssh-add -L | grep something_unique > ~/.ssh/some_other_key.pub

    You may want to edit the trailing “comment” part of the public key to better identify the key’s origin/owner/purpose (or attempt to hide the same).

  2. Use the pathname to the above public key file with -i or IdentityFile.

  3. You may also need to use IdentitiesOnly yes (in .ssh/config or -o) to keep ssh from trying to offer any additional identities from your forwarded agent.

Improve this answer
5
  • This is the only thing that has worked for me from 10 other solutions.
    – Tracy Fu
    Commented Aug 21, 2015 at 4:38
  • 2
    Playing with this I realized that if you put the public key associated with the private key you wish to use in ~/.ssh/id_rsa.pub on the intermediate machine, it will be used by default, no need for any configuration in ~/.ssh/config.
    – Schlueter
    Commented Jan 7, 2016 at 0:34
  • Thanks Chris and bschlueter! I now connect with: ssh someserver -t "ssh-add -L | grep something_unique > ~/.ssh/id_rsa.pub; cd some/other/folder; bash --login"
    – blablabla
    Commented Aug 26, 2016 at 13:23
  • 1
    When I try this with ssh -v -T ... the server accepts the public key, but then ssh says No such identity: /home/name/.ssh/id_rsa: No such file or directory and subsequently the authentication fails. I have ForwardAgent enabled in all my configs. What could be the problem?
    – Lars Nyström
    Commented Aug 23, 2018 at 8:21
  • hmm. only copying the pubkey works for me. for my signing key i have: gpg.ssh.defaultkeycommand=ssh-add -L | grep 'signing'. would be great if there was a similar config for git deploy-keys, but yes, this works: git config core.sshCommand "ssh -i ~/.ssh/my-repo-deploy.pub "
    – rosmcmahon
    Commented Nov 6, 2023 at 8:49

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .