12

I cannot for the life of me figure out why my SSH config is forwarding the wrong key. I have two keys, we'll call them home_rsa and work_rsa. I have done the following:

eval `ssh-agent`
ssh-add -K ~/.ssh/home_rsa
ssh-add -K ~/.ssh/work_rsa

Here is my ~/.ssh/config file:

Host home
  ForwardAgent yes
  HostName home.com
  IdentityFile ~/.ssh/home_rsa
  IdentitiesOnly yes
  User home

Host work
  ForwardAgent yes
  HostName work.com
  IdentitiesOnly yes
  IdentityFile ~/.ssh/work_rsa
  User work

Host bitbucket
  IdentityFile ~/.ssh/home_rsa

Host bitbucket-work
  IdentityFile ~/.ssh/work_rsa

Host bitbucket*
  HostName bitbucket.com
  User git

When I run the following…

ssh work
ssh git@bitbucket.org

…Bitbucket reports that I'm using my home user, though I'm clearly logged into my work server and should be forwarding my work key. If I add my SSH identities in the reverse order and run the same code above, Bitbucket reports I'm using my work user. Running ssh-add -l from my work server, I see that both SSH keys are being forwarded, but isn't that the job of IdentitiesOnly yes?

Really confused as to what's going on here.

Marcus McLean
  • 1,306
  • 2
  • 13
  • 24
  • 1
    No. `IdentitiesOnly` controls what key is used for authentication, but does not affect the list of keys available in your agent. – larsks Apr 01 '16 at 18:28
  • Oh. Then is there a way to control which key(s) are made available in my agent on a per-server basis? – Marcus McLean Apr 01 '16 at 18:29
  • Not really, no. I mean, you could hack up something with multiple local agents, but it probably wouldn't be pretty. – larsks Apr 01 '16 at 18:31
  • I said in another comment: "Bitbucket disallows using the same SSH key between Bitbucket accounts. I have a work account and a personal account. When I try to push/fetch/merge/etc., I want the remote server to be using the correct SSH key." Is there any [sane] way to accomplish this? – Marcus McLean Apr 01 '16 at 18:32

3 Answers3

7

Really confused as to what's going on here.

ForwardAgent option forwards the connection to your agent, with all the keys inside and does not forward your local ~/.ssh/config to remote host. What you do on the work host is controlled by your configuration on that host.

What are you trying to do with that?

Jakuje
  • 24,773
  • 12
  • 69
  • 75
  • 2
    Bitbucket disallows using the same SSH key between Bitbucket accounts. I have a work account and a personal account. When I try to push/fetch/merge/etc., I want the remote server to be using the correct SSH key. – Marcus McLean Apr 01 '16 at 18:31
  • Yes, and I understand your answer. But you asked what I am trying to do with that. I am trying to push/fetch/merge/etc. on my remote server. – Marcus McLean Apr 01 '16 at 18:34
  • So then you need: 1) To create such configuration on the remote server (it might not work, since the keys are not local). 2) Differentiate between the keys in other way, for example by confirmation (`-c` switch to `ssh-add`). 3) Use different keys for connecting from that server. – Jakuje Apr 01 '16 at 18:38
4

You need to update your ssh keys with their equivalent bitbucket account first at their website (work user with work_rsa, user with user_rsa). Then maybe this could help.

Host                bitbucket-work
HostName            bitbucket.org
IdentitiesOnly      yes
IdentityFile        ~/.ssh/work_rsa
User                work

Usage:

ssh bitbucket-work

Eje
  • 354
  • 4
  • 8
Jonathan Ramos
  • 1,921
  • 18
  • 21
4

As written in the accepted answer, selecting keys used for authentication is not related to what keys are forwarded. Separate ssh-agents are needed. Luckily that is easily configured.

From ssh-agent (1) we can learn that it takes a -a option to specify bind_address, and ssh_config (5) tells that ForwardAgent can be set to what turns out to be the same value.

Prepare your agents:

eval `ssh-agent -a ~/.ssh/home.agent`
ssh-add ~/.ssh/home_rsa
eval `ssh-agent -a ~/.ssh/work.agent`
ssh-add ~/.ssh/work_rsa
unset SSH_AUTH_SOCK SSH_AGENT_PID

Configure your ssh:

Host work
    HostName      work.example.com
    ForwardAgent  ~/.ssh/work.agent
    IdentityAgent ~/.ssh/work.agent

Host home
    HostName      home.example.com
    ForwardAgent  ~/.ssh/home.agent
    IdentityAgent ~/.ssh/home.agent

That should completely separate home and work keys. Setting IdentityAgent to a different value than ForwardAgent is left as an exercise for someone exposed to a threat level calling for such complexity.

sampi
  • 576
  • 5
  • 15