OpenSSH's SSH client not respecting order of IdentityFile settings

Question

How can I specify the order in which OpenSSH's SSH client (OpenSSH_7.5p1, OpenSSL 1.0.2k 26 Jan 2017; Git for Windows v2.11.1) offers the public/private key pairs to a SSH compliant daemon such as Apache Mina SSHD (Gerrit Code Review service). My intention is to try to authenticate with an Ed25519 public/private key pair before falling back to RSA.

Given the following standard Ed25519 and RSA public/private key pairs below the user's home directory:

~/.ssh/id_ed25519{,.pub}
~/.ssh/id_rsa{,.pub}

and the following Host sections in the user's SSH configuration file (~/.ssh/config):

Host foobar foobar.example.com
  Hostname foobar.example.com
  IdentityFile ~/.ssh/id_ed25519

Host *
  IdentityFile ~/.ssh/id_ed25519
  IdentityFile ~/.ssh/id_rsa

when testing the SSH connection in debug mode:

$ ssh -Tv bob@foobar
debug1: Reading configuration data ~/.ssh/config
debug1: ~/.ssh/config line 49: Applying options for foobar
debug1: ~/.ssh/config line 63: Applying options for *
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: ~/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Offering ED25519 public key: ~/.ssh/id_ed25519
debug1: Server accepts key: pkalg ssh-ed25519 blen 51
debug1: Authentication succeeded (publickey).

I can see that OpenSSH's SSH client offers the RSA public/private key pair first. But why not first Ed25519?

The reason I ask about the SSH agent is that OpenSSH offers keys from the agent first. — Kusalananda, Jul 23 '18 at 16:00
Yes, both keys are automatically added to a SSH agent after one was started during initialization of a Bash shell by one of its startup files. — Tim Friske, Jul 23 '18 at 18:20
Meanwhile I found the following exhaustive explanation: https://utcc.utoronto.ca/~cks/space/blog/sysadmin/SSHIdentitiesOffered — Tim Friske, Jul 23 '18 at 18:54

score 5 · Accepted Answer · answered Jul 23 '18 at 16:04

5

Add IdentitiesOnly option. Without this option SSH tries first default ssh-keys available: id_rsa, id_dsa, id_ecdsa. To change this behaviour replace your config with this one:

Host foobar foobar.example.com
  Hostname foobar.example.com
  IdentityFile ~/.ssh/id_ed25519
  IdentitiesOnly yes

Host *
  IdentityFile ~/.ssh/id_ed25519
  IdentityFile ~/.ssh/id_rsa
  IdentitiesOnly yes

answered Jul 23 '18 at 16:04

Bob

1,155

Isn't the one IdentitiesOnly yessetting in the fallback section (Host *) enough for it to become effective in more host-specific sections? – Tim Friske Jul 23 '18 at 18:59
@TimFriske You have put this option to every Host section with IdentityFile defined. – Bob Jul 23 '18 at 19:01

OpenSSH's SSH client not respecting order of IdentityFile settings

1 Answers1

Linked