add explicit public key naming for IdentitiesOnly usage

pull/55/head
James Wu 2018-03-14 11:50:04 -07:00
parent c20cdf7ec4
commit 79dac3ec7d
1 changed files with 15 additions and 1 deletions

View File

@ -1167,7 +1167,6 @@ export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
gpg-connect-agent updatestartuptty /bye
```
### Copy public key to server
There is a `-L` option of `ssh-add` that lists public key parameters of all identities currently represented by the agent. Copy and paste the following output to the server authorized_keys file:
@ -1175,6 +1174,21 @@ There is a `-L` option of `ssh-add` that lists public key parameters of all iden
$ ssh-add -L
ssh-rsa AAAAB4NzaC1yc2EAAAADAQABAAACAz[...]zreOKM+HwpkHzcy9DQcVG2Nw== cardno:000605553211
#### (Optional) Save public key for identity file configuration
If `IdentitiesOnly yes` is used in your `.ssh/config` (for example [to avoid being fingerprinted by untrusted ssh servers](https://blog.filippo.io/ssh-whoami-filippo-io/)), `ssh` will not automatically enumerate public keys loaded into `ssh-agent` or `gpg-agent`. This means `publickey` authentication will not proceed unless explicitly named by `ssh -i [identity_file]` or in `.ssh/config` on a per-host basis.
In the case of Yubikey usage, you do not have access to the private key, and `identity_file` can be pointed to the public key (`.pub`).
$ ssh-add -L | grep "cardno:000605553211" > ~/.ssh/id_rsa_yubikey.pub
Then, you can explicitly associate this Yubikey-stored key for used with the domain `github.com` (for example) as follows:
$ cat << EOF >> ~/.ssh/config
Host github.com
IdentityFile ~/.ssh/id_rsa_yubikey.pub
EOF
### Connect with public key authentication
$ ssh git@github.com -vvv