Mailing List Archive

On Wed, 30 Sep 2020, raf wrote:

> Hi,
>
> I have a VM with a git repository whose origin is on
> github. I have several keys known to github, so I needed
> to set git's core.sshcommand config parameter in the
> repository to something like this:
>
> ssh -i ~/.ssh/id_ed25519_github2
>
> But it meant that I needed to copy that key to the VM.
> The same key is available via my forwarded ssh-agent
> connection. Is it possible to tell ssh to use that
> instead of the key in a file? The documentation for the
> -i option only mentions files.

ssh will read the public key (id_ed25519_github2.pub) to identify the key
before it tries to use the private key (id_ed25519_github2). If the private
key is available in the agent then it will never try to use the private key
file.

Summary: copy id_ed25519_github2.pub to your VM and the above command will
work.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Wed, Sep 30, 2020 at 03:35:43PM +1000, Damien Miller <djm@mindrot.org> wrote:

> On Wed, 30 Sep 2020, raf wrote:
>
> > Hi,
> >
> > I have a VM with a git repository whose origin is on
> > github. I have several keys known to github, so I needed
> > to set git's core.sshcommand config parameter in the
> > repository to something like this:
> >
> > ssh -i ~/.ssh/id_ed25519_github2
> >
> > But it meant that I needed to copy that key to the VM.
> > The same key is available via my forwarded ssh-agent
> > connection. Is it possible to tell ssh to use that
> > instead of the key in a file? The documentation for the
> > -i option only mentions files.
>
> ssh will read the public key (id_ed25519_github2.pub) to identify the key
> before it tries to use the private key (id_ed25519_github2). If the private
> key is available in the agent then it will never try to use the private key
> file.
>
> Summary: copy id_ed25519_github2.pub to your VM and the above command will
> work.
>
> -d

Hi Damien,

Thanks. That's brilliant.
It should get a mention in the manpage.
I've attached a patch for ssh.1.

However, I've just tried it and it didn't work for me. :-(

$ git config core.sshcommand
ssh -i ~/.ssh/id_ed25519_github2

$ ls -l ~/.ssh/id*
-rw-r--r-- 1 raf raf 110 Dec 19 2019 /home/raf/.ssh/id_ed25519_github2.pub

$ cat ~/.ssh/id_ed25519_github2.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrmJ0gYTmZlilDBB/BsyOHqOT354aDLWgULmMPXRkJK user@domain.com

$ ssh-add -L
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrmJ0gYTmZlilDBB/BsyOHqOT354aDLWgULmMPXRkJK user@domain.com
[...]

$ git pull
Warning: Identity file /home/raf/.ssh/id_ed25519_aps_github not accessible: No such file or directory.
ERROR: Repository not found.
[...]

$ ssh -V
OpenSSH_7.4p1 Debian-10+deb9u7, OpenSSL 1.0.2u 20 Dec 2019

Perhaps this version of ssh is too old for this to work?

Regards,
Robert

On Wed, Sep 30, 2020 at 1:40 PM raf <ssh@raf.org> wrote:

> On Wed, Sep 30, 2020 at 03:35:43PM +1000, Damien Miller <djm@mindrot.org>
> wrote:
>
> > On Wed, 30 Sep 2020, raf wrote:
> >
> > > Hi,
> > >
> > > I have a VM with a git repository whose origin is on
> > > github. I have several keys known to github, so I needed
> > > to set git's core.sshcommand config parameter in the
> > > repository to something like this:
> > >
> > > ssh -i ~/.ssh/id_ed25519_github2
> > >
> > > But it meant that I needed to copy that key to the VM.
> > > The same key is available via my forwarded ssh-agent
> > > connection. Is it possible to tell ssh to use that
> > > instead of the key in a file? The documentation for the
> > > -i option only mentions files.
> >
> > ssh will read the public key (id_ed25519_github2.pub) to identify the key
> > before it tries to use the private key (id_ed25519_github2). If the
> private
> > key is available in the agent then it will never try to use the private
> key
> > file.
> >
> > Summary: copy id_ed25519_github2.pub to your VM and the above command
> will
> > work.
> >
> > -d
>
> Hi Damien,
>
> Thanks. That's brilliant.
> It should get a mention in the manpage.
> I've attached a patch for ssh.1.
>
> However, I've just tried it and it didn't work for me. :-(
>
> $ git config core.sshcommand
> ssh -i ~/.ssh/id_ed25519_github2
>
> $ ls -l ~/.ssh/id*
> -rw-r--r-- 1 raf raf 110 Dec 19 2019
> /home/raf/.ssh/id_ed25519_github2.pub
>
> $ cat ~/.ssh/id_ed25519_github2.pub
> ssh-ed25519
> AAAAC3NzaC1lZDI1NTE5AAAAIHrmJ0gYTmZlilDBB/BsyOHqOT354aDLWgULmMPXRkJK
> user@domain.com
>
> $ ssh-add -L
> ssh-ed25519
> AAAAC3NzaC1lZDI1NTE5AAAAIHrmJ0gYTmZlilDBB/BsyOHqOT354aDLWgULmMPXRkJK
> user@domain.com
> [...]
>
> $ git pull
> Warning: Identity file /home/raf/.ssh/id_ed25519_aps_github not
> accessible: No such file or directory.
> ERROR: Repository not found.
>

From where this id_ed25519_*aps*_githubfile coming?


>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


--
Danishka Navin
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Wed, 30 Sep 2020, raf wrote:

> Thanks. That's brilliant.
> It should get a mention in the manpage.
> I've attached a patch for ssh.1.
>
> However, I've just tried it and it didn't work for me. :-(
>
> $ git config core.sshcommand
> ssh -i ~/.ssh/id_ed25519_github2

Personally, I find it easier to use ~/.ssh/config for this sort of
configuration:

Host github.com
User git
IdentityFile ~/.ssh/id_ed25519_github2
IdentitiesOnly yes # Don't use other keys in agent or on disk

You can then also "ssh -vvv github.com true" to see what is going wrong.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

I have sections in my .ssh/config (see below) to allow me to use several
different github accounts. The important part is having the .pub files
sitting there. You don't need the private key on the VM, just the public
key, and it will pick the correct private key from your agent. Then on the
git repo I do: git remote add origin githubu2:user/repo.git

Those sections:

Host githubu1
Tunnel no
ForwardAgent no
ForwardX11 no
HostName github.com
user git
IdentityFile ~/.ssh/githubu1.pub

Host githubu2
Tunnel no
ForwardAgent no
ForwardX11 no
HostName github.com
user git
IdentityFile ~/.ssh/githubu2.pub

Host githubu3
Tunnel no
ForwardAgent no
ForwardX11 no
HostName github.com
user git
IdentityFile ~/.ssh/githubu3.pub

--Gregory

On Wed, Sep 30, 2020 at 02:38:23PM +1000, raf wrote:
> Hi,
>
> I have a VM with a git repository whose origin is on
> github. I have several keys known to github, so I needed
> to set git's core.sshcommand config parameter in the
> repository to something like this:
>
> ssh -i ~/.ssh/id_ed25519_github2
>
> But it meant that I needed to copy that key to the VM.
> The same key is available via my forwarded ssh-agent
> connection. Is it possible to tell ssh to use that
> instead of the key in a file? The documentation for the
> -i option only mentions files.
>
> cheers,
> raf
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Wed, Sep 30, 2020 at 02:13:20PM +0530, Danishka Navin <danishka@gmail.com> wrote:

> On Wed, Sep 30, 2020 at 1:40 PM raf <ssh@raf.org> wrote:
>
> > On Wed, Sep 30, 2020 at 03:35:43PM +1000, Damien Miller <djm@mindrot.org>
> > wrote:
> >
> > > On Wed, 30 Sep 2020, raf wrote:
> > >
> > > > Hi,
> > > >
> > > > I have a VM with a git repository whose origin is on
> > > > github. I have several keys known to github, so I needed
> > > > to set git's core.sshcommand config parameter in the
> > > > repository to something like this:
> > > >
> > > > ssh -i ~/.ssh/id_ed25519_github2
> > > >
> > > > But it meant that I needed to copy that key to the VM.
> > > > The same key is available via my forwarded ssh-agent
> > > > connection. Is it possible to tell ssh to use that
> > > > instead of the key in a file? The documentation for the
> > > > -i option only mentions files.
> > >
> > > ssh will read the public key (id_ed25519_github2.pub) to identify the key
> > > before it tries to use the private key (id_ed25519_github2). If the
> > private
> > > key is available in the agent then it will never try to use the private
> > key
> > > file.
> > >
> > > Summary: copy id_ed25519_github2.pub to your VM and the above command
> > will
> > > work.
> > >
> > > -d
> >
> > Hi Damien,
> >
> > Thanks. That's brilliant.
> > It should get a mention in the manpage.
> > I've attached a patch for ssh.1.
> >
> > However, I've just tried it and it didn't work for me. :-(
> >
> > $ git config core.sshcommand
> > ssh -i ~/.ssh/id_ed25519_github2
> >
> > $ ls -l ~/.ssh/id*
> > -rw-r--r-- 1 raf raf 110 Dec 19 2019
> > /home/raf/.ssh/id_ed25519_github2.pub
> >
> > $ cat ~/.ssh/id_ed25519_github2.pub
> > ssh-ed25519
> > AAAAC3NzaC1lZDI1NTE5AAAAIHrmJ0gYTmZlilDBB/BsyOHqOT354aDLWgULmMPXRkJK
> > user@domain.com
> >
> > $ ssh-add -L
> > ssh-ed25519
> > AAAAC3NzaC1lZDI1NTE5AAAAIHrmJ0gYTmZlilDBB/BsyOHqOT354aDLWgULmMPXRkJK
> > user@domain.com
> > [...]
> >
> > $ git pull
> > Warning: Identity file /home/raf/.ssh/id_ed25519_aps_github not
> > accessible: No such file or directory.
> > ERROR: Repository not found.
> >
>
> >From where this id_ed25519_*aps*_githubfile coming?

Sorry, that's the real name of the key file. I missed
changing it to match the other appearances. The point
in using ...github2 was to indicate the fact that I
have multiple keys in my agent that are known to
github, and without telling ssh which one to use for a
given git repository, ssh would try all the keys in
some arbitrary(?) order and one of the others might be
tried first and work, i.e. one of the keys that doesn't
have write permission to the repository in question
because it is for a different github account. This is
probably only an issue when you have multiple working
keys for a server, but only one of them will get you
what you actually need after the original
authentication has taken place. Github is probably
a special case because all accounts use the same
ssh username "git".

cheers,
raf

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Wed, Sep 30, 2020 at 07:45:20PM +1000, Damien Miller <djm@mindrot.org> wrote:

> On Wed, 30 Sep 2020, raf wrote:
>
> > Thanks. That's brilliant.
> > It should get a mention in the manpage.
> > I've attached a patch for ssh.1.
> >
> > However, I've just tried it and it didn't work for me. :-(
> >
> > $ git config core.sshcommand
> > ssh -i ~/.ssh/id_ed25519_github2
>
> Personally, I find it easier to use ~/.ssh/config for this sort of
> configuration:
>
> Host github.com
> User git
> IdentityFile ~/.ssh/id_ed25519_github2
> IdentitiesOnly yes # Don't use other keys in agent or on disk
>
> You can then also "ssh -vvv github.com true" to see what is going wrong.
>
> -d

I'd agree in general, but not in this instance. Since I
have multiple github accounts and hence multiple keys
for that user/server combination, each one leading to a
different github account, I would also have to create a
server name alias for each key, and put configurations
for each of them in the config file.

Just running a git config command per repository, and
keeping the config with the repository, seems simpler
to me.

Also, I don't think that your example would actually
solve my problem, which is the desire to get the key
from the agent rather than from a file on disk. Your
example above explicitly prevents ssh from using the
agent with "IdentitiesOnly yes".

Does this mean that your original suggestion doesn't
work, even on later versions of ssh?

New question: If I do create a key-specific hostname
alias for each of my github accounts in the
~/.ssh/config file, can I do it in the config file that
is where my private keys are (and will that config be
forwarded to the VM), or would this config need to be
local to the VM? I expect that config settings probably
wouldn't be forwarded via the agent.

If this config has to be local to the VM, I still don't
know how to tell it to get the specified key from the
agent.

I suppose I can put up with having the private key in
the VM. It's on a laptop where the private key is
anyway. It's just that I had to delete it before
exporting the VM to send to someone else. But I can put
it back.

But if anyone does implement your original suggestion,
that would be great for anyone with multiple github
accounts.

An alternative would be to change IdentityFile to also
accept a fingerprint/hash/keygrip, or add a new config
parameter IdentityKey which takes a
fingerprint/hash/keygrip argument to make it clear that
the key could come from the agent (or an unspecified
file). Just a thought.

Thanks for your time and suggestions.

cheers,
raf

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Wed, Sep 30, 2020 at 03:28:01PM -0400, Gregory Seidman <gsslist+ssh@anthropohedron.net> wrote:

> I have sections in my .ssh/config (see below) to allow me to use several
> different github accounts. The important part is having the .pub files
> sitting there. You don't need the private key on the VM, just the public
> key, and it will pick the correct private key from your agent. Then on the
> git repo I do: git remote add origin githubu2:user/repo.git
>
> Those sections:
>
> Host githubu1
> Tunnel no
> ForwardAgent no
> ForwardX11 no
> HostName github.com
> user git
> IdentityFile ~/.ssh/githubu1.pub
>
> Host githubu2
> Tunnel no
> ForwardAgent no
> ForwardX11 no
> HostName github.com
> user git
> IdentityFile ~/.ssh/githubu2.pub
>
> Host githubu3
> Tunnel no
> ForwardAgent no
> ForwardX11 no
> HostName github.com
> user git
> IdentityFile ~/.ssh/githubu3.pub
>
> --Gregory

Hi Gregory,

Thanks. That's great. I didn't realise that I could use
the name of the public key file with -i. The
documentation doesn't indicate that. In fact, it
explicitly states that the filename argument is for the
private key.

With this knowledge, the git config approach works just
as well:

git config core.sshcommand 'ssh -i ~/.ssh/id_ed25519_github2.pub'

and the remote origin can stay as git@github.com and there's
no need to put repository-specific config in ssh's config.
I prefer that.

I've attached a new patch to ssh.1 that explains how to
do this.

Many thanks.

cheers,
raf