How does ssh choose the correct key to use?

3

How does ssh-agent understand which key should it use for which remote server?

I've came across different questions and posts that touches this topic somehow, but it still remain unclear to me.

What I have found is that if you want to use different ssh keys you need to use -i option and specify path to needed key or you can setup Identity files that specifies which key pair for which host to use.

But does it mean that by default ssh-agent can use only one key pair and it will try to use it for all remote servers?

volk

Posted 2016-04-19T19:36:04.853

Reputation: 33

Aren't the keys labeled by IP/name? – schroeder – 2016-04-19T19:47:53.890

Related with detailed answers http://superuser.com/questions/268776/how-do-i-configure-ssh-so-it-dosent-try-all-the-identity-files-automatically

– dave_thompson_085 – 2016-04-20T04:56:27.207

@dave_thompson_085 , thanks that topic helped – volk – 2016-04-20T09:26:45.663

Answers

3

But does it mean that by default ssh-agent can use only one key pair and it will try to use it for all remote servers?

By default, ssh-agent will use all the keys added to it to all the servers you connect. You can limit the keys by ssh_config as in the other answer.

The keys have fingerprints, but in the first phase of public key authentication, the public parts are just verified against the server list and if they do not match, authentication is skipped (usually to other key or password authentication).

Jakuje

Posted 2016-04-19T19:36:04.853

Reputation: 7 981

1To see this, run your SSH client with the -v verbose option. – multithr3at3d – 2016-04-20T16:03:00.050

1

SSH supports a ~/.ssh/config file that allows you to specify different keys for different hosts. So you could have

Host github.com
    IdentityFile ~/.ssh/github.key
Host example.com
    IdentityFile ~/.ssh/example.key

There's a good tutorial on this functionality here.

Neil Smithline

Posted 2016-04-19T19:36:04.853

Reputation: 123

-2

The 'key' (no pun intended) is based upon the fingerprint as specified in RFC4716. As explained in ssh's man page:

When connecting to a server for the first time, a fingerprint of the
server's public key is presented to the user (unless the option
StrictHostKeyChecking has been disabled).  Fingerprints can be determined
using ssh-keygen(1):

           $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key

If the fingerprint is already known, it can be matched and the key can be
accepted or rejected.

In an ASCII nutshell here is fingerprinting explained with regards to which key is chosen/used:

ssh-keygen yourfingerprint
you ssh --> server (stores your fingerprint)
you ssh --> millions of other servers
you ssh initial server --> server --> Have I seen this fingerprint before?

ADDED

Because I hit enter too prematurely, the fingerprints are stored in:

~/.ssh/known_hosts

munkeyoto

Posted 2016-04-19T19:36:04.853

Reputation: 132

1the start makes sense. The end does not answer the question in any point and is just nonsense. – Jakuje – 2016-04-19T21:46:54.030

1This is about half correct for SSH server keys, but completely irrelevant to SSH client keys, which is the subject of this question. – dave_thompson_085 – 2016-04-20T04:50:21.207

Asked: 2016-04-19T19:36:04.853

Viewed: 2 001 times

Active: 2016-04-19T21:49:25.057