3

Possibly I am missing something obvious but after getting fed up with 5 key limitation of ssh-agent I start looking for ways for a better ssh key management.

If I create a new ssh key pair using ssh-keygen -t rsa, I can then use ssh-keygen -lf to get fingerprints for both private and public key and they both report the same fingerprint.

Then my naive expectation is to do something like an ssh-keyscan to get remote public key fingerprints on that host and match that fingerprint to one of my private keys and initiate ssh connection using that private key.

Obviously, the fingerprints I get using ssh-keyscan does not even resemble the fingerprints for local keys.

Is the any solution to resolve this dilemma ?

olivierg
  • 494
  • 1
  • 6
  • 24
Charles
  • 133
  • 5
  • `ssh-agent` is not limited to 5 keys. It just happens that `sshd` by default is limited to 5 login attempts per connection, which prevents you from attempting more than 5 different public keys on the same connection. – kasperd Mar 19 '17 at 18:33

2 Answers2

4

The ssh-keyscan command is for scanning the host keys (/etc/ssh/ssh_host_*.pub), not the keys present used for authentication/authorization of users.

You would need to connect to the remote host and examine the various authorized_keys files. The complicated bit is that an authorized_keys file can have many keys in it, so you need to do some manipulation to extract the individual keys and print them.

There is another question/answer on serverfault with some good methods.

Community
  • 1
Zoredache
  • 128,755
  • 40
  • 271
  • 413
3

I think I avoid your dilemma by simply defining a priori which keypair to use for what host in my ~/.ssh/config 

Host www
 HostName www.example.com
 IdentityFile ~/.ssh/key1
Host dev
 HostName dev.example.org
 IdentityFile ~/.ssh/key2
HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • Problem is that this is a cloud environment with several clusters. Host are created / destroyed all the time and I need to ssh using an IP address which is live at a given time. Thanks for the answer though. – Charles Mar 17 '17 at 09:30