In which order does OpenSSH try private keys? Unicorn Meta Zoo #1: Why another podcast? ...
Protagonist's race is hidden - should I reveal it?
Bayes factor vs P value
Passing args from the bash script to the function in the script
How can I wire a 9-position switch so that each position turns on one more LED than the one before?
Is Electric Central Heating worth it if using Solar Panels?
Flattening the sub-lists
What is the least dense liquid under normal conditions?
Justification for leaving new position after a short time
All ASCII characters with a given bit count
finding a tangent line to a parabola
What is it called when you ride around on your front wheel?
How to open locks without disable device?
Check if a string is entirely made of the same substring
Does Feeblemind produce an ongoing magical effect that can be dispelled?
What to do with someone that cheated their way through university and a PhD program?
Israeli soda type drink
What is the term for a person whose job is to place products on shelves in stores?
What is the best way to deal with NPC-NPC combat?
Is it acceptable to use working hours to read general interest books?
Are there moral objections to a life motivated purely by money? How to sway a person from this lifestyle?
std::is_constructible on incomplete types
Prove the alternating sum of a decreasing sequence converging to 0 is Cauchy.
Would reducing the reference voltage of an ADC have any effect on accuracy?
Raising a bilingual kid. When should we introduce the majority language?
In which order does OpenSSH try private keys?
Unicorn Meta Zoo #1: Why another podcast?
Announcing the arrival of Valued Associate #679: Cesar Manara
Come Celebrate our 10 Year Anniversary!How do you manage ssh keys to add a second user?Allow only specific keys in agent forwarding?Choose identity from ssh-agent by file nameConnecting to a remote server using SSH from a MacDisable specific OpenSSH host keysUse a specific forwarded key from SSH-agent?ssh-agent not caching one key, but caches anotherAWS :: Ubuntu instance consistently denying my private keysforce ssh to use agent, without fallback to directly accessing the IdentityFileForce the use of a gpg-key as an ssh-key for a given server
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I'm having a hard time finding proper docs on the order in which the OpenSSH client tries private keys for authenticating against a server, given that all of the following are present:
- key files with default names in
~/.ssh, e.g.~/.ssh/id_rsa, - key files with non-default names that are configured to be used with a specific host via
~/.ssh/config, - keys managed by
ssh-agent.
Are all of these locations always tried (provided that the host matches an entry in ~/.ssh/config), and in which order?
Background: I have ~/.ssh/id_rsa which can only be used to authenticate against server A, and I have another key managed by ssh-agent that can only be used to authenticate against server B. When trying to ssh to B, authentications fails, apparently because only ~/.ssh/id_rsa is tried. There does not seem to be a fallback to try the key managed by ssh-agent.
ssh private-key ssh-agent
asked May 11 '17 at 20:24
sschuberthsschuberth
1315
add a comment |
I'm having a hard time finding proper docs on the order in which the OpenSSH client tries private keys for authenticating against a server, given that all of the following are present:
- key files with default names in
~/.ssh, e.g.~/.ssh/id_rsa, - key files with non-default names that are configured to be used with a specific host via
~/.ssh/config, - keys managed by
ssh-agent.
Are all of these locations always tried (provided that the host matches an entry in ~/.ssh/config), and in which order?
Background: I have ~/.ssh/id_rsa which can only be used to authenticate against server A, and I have another key managed by ssh-agent that can only be used to authenticate against server B. When trying to ssh to B, authentications fails, apparently because only ~/.ssh/id_rsa is tried. There does not seem to be a fallback to try the key managed by ssh-agent.
ssh private-key ssh-agent
asked May 11 '17 at 20:24
sschuberthsschuberth
1315
2
if you run ssh with -v it will tell you what it is doing.
– Eddie Dunn
May 11 '17 at 20:35
1
You can see actually used order by running 'ssh -v hostname'
– AlexD
May 11 '17 at 20:37
I know about the -v, -vv etc. options, but I'd like to know before I try how ssh is going to behave. There must be a saner method to find out than trial and error.
– sschuberth
May 12 '17 at 6:14
add a comment |
I'm having a hard time finding proper docs on the order in which the OpenSSH client tries private keys for authenticating against a server, given that all of the following are present:
- key files with default names in
~/.ssh, e.g.~/.ssh/id_rsa, - key files with non-default names that are configured to be used with a specific host via
~/.ssh/config, - keys managed by
ssh-agent.
Are all of these locations always tried (provided that the host matches an entry in ~/.ssh/config), and in which order?
Background: I have ~/.ssh/id_rsa which can only be used to authenticate against server A, and I have another key managed by ssh-agent that can only be used to authenticate against server B. When trying to ssh to B, authentications fails, apparently because only ~/.ssh/id_rsa is tried. There does not seem to be a fallback to try the key managed by ssh-agent.
ssh private-key ssh-agent
asked May 11 '17 at 20:24
sschuberthsschuberth
1315
I'm having a hard time finding proper docs on the order in which the OpenSSH client tries private keys for authenticating against a server, given that all of the following are present:
- key files with default names in
~/.ssh, e.g.~/.ssh/id_rsa, - key files with non-default names that are configured to be used with a specific host via
~/.ssh/config, - keys managed by
ssh-agent.
Are all of these locations always tried (provided that the host matches an entry in ~/.ssh/config), and in which order?
Background: I have ~/.ssh/id_rsa which can only be used to authenticate against server A, and I have another key managed by ssh-agent that can only be used to authenticate against server B. When trying to ssh to B, authentications fails, apparently because only ~/.ssh/id_rsa is tried. There does not seem to be a fallback to try the key managed by ssh-agent.
ssh private-key ssh-agent
ssh private-key ssh-agent
asked May 11 '17 at 20:24
sschuberthsschuberth
1315
asked May 11 '17 at 20:24
sschuberthsschuberth
1315
edited 1 min ago
sschuberth
asked May 11 '17 at 20:24
sschuberthsschuberth
1315
asked May 11 '17 at 20:24
sschuberthsschuberth
1315
asked May 11 '17 at 20:24
sschuberthsschuberth
1315
1315
2
if you run ssh with -v it will tell you what it is doing.
– Eddie Dunn
May 11 '17 at 20:35
1
You can see actually used order by running 'ssh -v hostname'
– AlexD
May 11 '17 at 20:37
I know about the -v, -vv etc. options, but I'd like to know before I try how ssh is going to behave. There must be a saner method to find out than trial and error.
– sschuberth
May 12 '17 at 6:14
add a comment |
2
if you run ssh with -v it will tell you what it is doing.
– Eddie Dunn
May 11 '17 at 20:35
1
You can see actually used order by running 'ssh -v hostname'
– AlexD
May 11 '17 at 20:37
I know about the -v, -vv etc. options, but I'd like to know before I try how ssh is going to behave. There must be a saner method to find out than trial and error.
– sschuberth
May 12 '17 at 6:14
2
2
if you run ssh with -v it will tell you what it is doing.
– Eddie Dunn
May 11 '17 at 20:35
if you run ssh with -v it will tell you what it is doing.
– Eddie Dunn
May 11 '17 at 20:35
1
1
You can see actually used order by running 'ssh -v hostname'
– AlexD
May 11 '17 at 20:37
You can see actually used order by running 'ssh -v hostname'
– AlexD
May 11 '17 at 20:37
I know about the -v, -vv etc. options, but I'd like to know before I try how ssh is going to behave. There must be a saner method to find out than trial and error.
– sschuberth
May 12 '17 at 6:14
I know about the -v, -vv etc. options, but I'd like to know before I try how ssh is going to behave. There must be a saner method to find out than trial and error.
– sschuberth
May 12 '17 at 6:14
add a comment |
2 Answers
2
active
oldest
votes
I know about the -v, -vv etc. options, but I'd like to know before I try how ssh is going to behave. There must be a saner method to find out than trial and error.
Use the source, Luke!
OpenSSH is open source so instead of trial-error, you can read the code to get better understanding what is going on there. ssh.c is a good place to start. It has a function load_public_identity_files(void), which takes care of this. In the first place, the keys from PKCS#11 (Smartcard, HSM) are used:
(nkeys = pkcs11_add_provider(options.pkcs11_provider, NULL,
and then the keys provided by options.identity_files:
for (i = 0; i < options.num_identity_files; i++) {
This variable is set in readconf.c:
if (options->num_identity_files == 0) {
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_RSA, 0);
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0);
#ifdef OPENSSL_HAS_ECC
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0);
#endif
add_identity_file(options, "~/",
_PATH_SSH_CLIENT_ID_ED25519, 0);
}
The real paths of the files are defined in pathnames.h:
#define _PATH_SSH_USER_DIR ".ssh"
[...]
#define _PATH_SSH_CLIENT_ID_DSA _PATH_SSH_USER_DIR "/id_dsa"
#define _PATH_SSH_CLIENT_ID_ECDSA _PATH_SSH_USER_DIR "/id_ecdsa"
#define _PATH_SSH_CLIENT_ID_RSA _PATH_SSH_USER_DIR "/id_rsa"
#define _PATH_SSH_CLIENT_ID_ED25519 _PATH_SSH_USER_DIR "/id_ed25519"
To the background question:
This is exactly why the IdentitiesOnly option exists and why you should use it in the ~/.ssh/config if you have more than one key to manage. The ssh-agent identities are used after the default ones.
answered May 12 '17 at 7:46
JakujeJakuje
6,93122635
While I appreciate you digging into the source code for me, that's not much saner (regarding the amount of work) than trial & error. I mean, this must be documented somewhere, as it's essential for configuring SSH correctly.
– sschuberth
May 12 '17 at 9:53
1
I don't think it must ... it is quite implementation detail. Manual pages (forsshandssh_config) specify that these paths are used by default and it is enough for basic user. If you want to know the order, debug log is where you find it quite easily. If it is not enough, source is here for you.
– Jakuje
May 12 '17 at 10:09
add a comment |
If you want to see how SSH client tries private keys for authenticating against a server, you can run it with -v option.
In my case it looks like:
debug1: Trying private key: /Users/atolkachev/.ssh/id_rsa
debug1: Trying private key: /Users/atolkachev/.ssh/id_dsa
debug1: Trying private key: /Users/atolkachev/.ssh/id_ecdsa
debug1: Trying private key: /Users/atolkachev/.ssh/id_ed25519
answered May 11 '17 at 21:00
Alexander TolkachevAlexander Tolkachev
3,3742919
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f849600%2fin-which-order-does-openssh-try-private-keys%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
I know about the -v, -vv etc. options, but I'd like to know before I try how ssh is going to behave. There must be a saner method to find out than trial and error.
Use the source, Luke!
OpenSSH is open source so instead of trial-error, you can read the code to get better understanding what is going on there. ssh.c is a good place to start. It has a function load_public_identity_files(void), which takes care of this. In the first place, the keys from PKCS#11 (Smartcard, HSM) are used:
(nkeys = pkcs11_add_provider(options.pkcs11_provider, NULL,
and then the keys provided by options.identity_files:
for (i = 0; i < options.num_identity_files; i++) {
This variable is set in readconf.c:
if (options->num_identity_files == 0) {
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_RSA, 0);
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0);
#ifdef OPENSSL_HAS_ECC
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0);
#endif
add_identity_file(options, "~/",
_PATH_SSH_CLIENT_ID_ED25519, 0);
}
The real paths of the files are defined in pathnames.h:
#define _PATH_SSH_USER_DIR ".ssh"
[...]
#define _PATH_SSH_CLIENT_ID_DSA _PATH_SSH_USER_DIR "/id_dsa"
#define _PATH_SSH_CLIENT_ID_ECDSA _PATH_SSH_USER_DIR "/id_ecdsa"
#define _PATH_SSH_CLIENT_ID_RSA _PATH_SSH_USER_DIR "/id_rsa"
#define _PATH_SSH_CLIENT_ID_ED25519 _PATH_SSH_USER_DIR "/id_ed25519"
To the background question:
This is exactly why the IdentitiesOnly option exists and why you should use it in the ~/.ssh/config if you have more than one key to manage. The ssh-agent identities are used after the default ones.
answered May 12 '17 at 7:46
JakujeJakuje
6,93122635
While I appreciate you digging into the source code for me, that's not much saner (regarding the amount of work) than trial & error. I mean, this must be documented somewhere, as it's essential for configuring SSH correctly.
– sschuberth
May 12 '17 at 9:53
1
I don't think it must ... it is quite implementation detail. Manual pages (forsshandssh_config) specify that these paths are used by default and it is enough for basic user. If you want to know the order, debug log is where you find it quite easily. If it is not enough, source is here for you.
– Jakuje
May 12 '17 at 10:09
add a comment |
I know about the -v, -vv etc. options, but I'd like to know before I try how ssh is going to behave. There must be a saner method to find out than trial and error.
Use the source, Luke!
OpenSSH is open source so instead of trial-error, you can read the code to get better understanding what is going on there. ssh.c is a good place to start. It has a function load_public_identity_files(void), which takes care of this. In the first place, the keys from PKCS#11 (Smartcard, HSM) are used:
(nkeys = pkcs11_add_provider(options.pkcs11_provider, NULL,
and then the keys provided by options.identity_files:
for (i = 0; i < options.num_identity_files; i++) {
This variable is set in readconf.c:
if (options->num_identity_files == 0) {
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_RSA, 0);
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0);
#ifdef OPENSSL_HAS_ECC
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0);
#endif
add_identity_file(options, "~/",
_PATH_SSH_CLIENT_ID_ED25519, 0);
}
The real paths of the files are defined in pathnames.h:
#define _PATH_SSH_USER_DIR ".ssh"
[...]
#define _PATH_SSH_CLIENT_ID_DSA _PATH_SSH_USER_DIR "/id_dsa"
#define _PATH_SSH_CLIENT_ID_ECDSA _PATH_SSH_USER_DIR "/id_ecdsa"
#define _PATH_SSH_CLIENT_ID_RSA _PATH_SSH_USER_DIR "/id_rsa"
#define _PATH_SSH_CLIENT_ID_ED25519 _PATH_SSH_USER_DIR "/id_ed25519"
To the background question:
This is exactly why the IdentitiesOnly option exists and why you should use it in the ~/.ssh/config if you have more than one key to manage. The ssh-agent identities are used after the default ones.
answered May 12 '17 at 7:46
JakujeJakuje
6,93122635
While I appreciate you digging into the source code for me, that's not much saner (regarding the amount of work) than trial & error. I mean, this must be documented somewhere, as it's essential for configuring SSH correctly.
– sschuberth
May 12 '17 at 9:53
1
I don't think it must ... it is quite implementation detail. Manual pages (forsshandssh_config) specify that these paths are used by default and it is enough for basic user. If you want to know the order, debug log is where you find it quite easily. If it is not enough, source is here for you.
– Jakuje
May 12 '17 at 10:09
add a comment |
I know about the -v, -vv etc. options, but I'd like to know before I try how ssh is going to behave. There must be a saner method to find out than trial and error.
Use the source, Luke!
OpenSSH is open source so instead of trial-error, you can read the code to get better understanding what is going on there. ssh.c is a good place to start. It has a function load_public_identity_files(void), which takes care of this. In the first place, the keys from PKCS#11 (Smartcard, HSM) are used:
(nkeys = pkcs11_add_provider(options.pkcs11_provider, NULL,
and then the keys provided by options.identity_files:
for (i = 0; i < options.num_identity_files; i++) {
This variable is set in readconf.c:
if (options->num_identity_files == 0) {
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_RSA, 0);
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0);
#ifdef OPENSSL_HAS_ECC
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0);
#endif
add_identity_file(options, "~/",
_PATH_SSH_CLIENT_ID_ED25519, 0);
}
The real paths of the files are defined in pathnames.h:
#define _PATH_SSH_USER_DIR ".ssh"
[...]
#define _PATH_SSH_CLIENT_ID_DSA _PATH_SSH_USER_DIR "/id_dsa"
#define _PATH_SSH_CLIENT_ID_ECDSA _PATH_SSH_USER_DIR "/id_ecdsa"
#define _PATH_SSH_CLIENT_ID_RSA _PATH_SSH_USER_DIR "/id_rsa"
#define _PATH_SSH_CLIENT_ID_ED25519 _PATH_SSH_USER_DIR "/id_ed25519"
To the background question:
This is exactly why the IdentitiesOnly option exists and why you should use it in the ~/.ssh/config if you have more than one key to manage. The ssh-agent identities are used after the default ones.
answered May 12 '17 at 7:46
JakujeJakuje
6,93122635
I know about the -v, -vv etc. options, but I'd like to know before I try how ssh is going to behave. There must be a saner method to find out than trial and error.
Use the source, Luke!
OpenSSH is open source so instead of trial-error, you can read the code to get better understanding what is going on there. ssh.c is a good place to start. It has a function load_public_identity_files(void), which takes care of this. In the first place, the keys from PKCS#11 (Smartcard, HSM) are used:
(nkeys = pkcs11_add_provider(options.pkcs11_provider, NULL,
and then the keys provided by options.identity_files:
for (i = 0; i < options.num_identity_files; i++) {
This variable is set in readconf.c:
if (options->num_identity_files == 0) {
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_RSA, 0);
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0);
#ifdef OPENSSL_HAS_ECC
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0);
#endif
add_identity_file(options, "~/",
_PATH_SSH_CLIENT_ID_ED25519, 0);
}
The real paths of the files are defined in pathnames.h:
#define _PATH_SSH_USER_DIR ".ssh"
[...]
#define _PATH_SSH_CLIENT_ID_DSA _PATH_SSH_USER_DIR "/id_dsa"
#define _PATH_SSH_CLIENT_ID_ECDSA _PATH_SSH_USER_DIR "/id_ecdsa"
#define _PATH_SSH_CLIENT_ID_RSA _PATH_SSH_USER_DIR "/id_rsa"
#define _PATH_SSH_CLIENT_ID_ED25519 _PATH_SSH_USER_DIR "/id_ed25519"
To the background question:
This is exactly why the IdentitiesOnly option exists and why you should use it in the ~/.ssh/config if you have more than one key to manage. The ssh-agent identities are used after the default ones.
answered May 12 '17 at 7:46
JakujeJakuje
6,93122635
edited May 12 '17 at 10:20
answered May 12 '17 at 7:46
JakujeJakuje
6,93122635
answered May 12 '17 at 7:46
JakujeJakuje
6,93122635
answered May 12 '17 at 7:46
JakujeJakuje
6,93122635
6,93122635
While I appreciate you digging into the source code for me, that's not much saner (regarding the amount of work) than trial & error. I mean, this must be documented somewhere, as it's essential for configuring SSH correctly.
– sschuberth
May 12 '17 at 9:53
1
I don't think it must ... it is quite implementation detail. Manual pages (forsshandssh_config) specify that these paths are used by default and it is enough for basic user. If you want to know the order, debug log is where you find it quite easily. If it is not enough, source is here for you.
– Jakuje
May 12 '17 at 10:09
add a comment |
While I appreciate you digging into the source code for me, that's not much saner (regarding the amount of work) than trial & error. I mean, this must be documented somewhere, as it's essential for configuring SSH correctly.
– sschuberth
May 12 '17 at 9:53
1
I don't think it must ... it is quite implementation detail. Manual pages (forsshandssh_config) specify that these paths are used by default and it is enough for basic user. If you want to know the order, debug log is where you find it quite easily. If it is not enough, source is here for you.
– Jakuje
May 12 '17 at 10:09
While I appreciate you digging into the source code for me, that's not much saner (regarding the amount of work) than trial & error. I mean, this must be documented somewhere, as it's essential for configuring SSH correctly.
– sschuberth
May 12 '17 at 9:53
While I appreciate you digging into the source code for me, that's not much saner (regarding the amount of work) than trial & error. I mean, this must be documented somewhere, as it's essential for configuring SSH correctly.
– sschuberth
May 12 '17 at 9:53
1
1
I don't think it must ... it is quite implementation detail. Manual pages (for
ssh and ssh_config) specify that these paths are used by default and it is enough for basic user. If you want to know the order, debug log is where you find it quite easily. If it is not enough, source is here for you.– Jakuje
May 12 '17 at 10:09
I don't think it must ... it is quite implementation detail. Manual pages (for
ssh and ssh_config) specify that these paths are used by default and it is enough for basic user. If you want to know the order, debug log is where you find it quite easily. If it is not enough, source is here for you.– Jakuje
May 12 '17 at 10:09
add a comment |
If you want to see how SSH client tries private keys for authenticating against a server, you can run it with -v option.
In my case it looks like:
debug1: Trying private key: /Users/atolkachev/.ssh/id_rsa
debug1: Trying private key: /Users/atolkachev/.ssh/id_dsa
debug1: Trying private key: /Users/atolkachev/.ssh/id_ecdsa
debug1: Trying private key: /Users/atolkachev/.ssh/id_ed25519
answered May 11 '17 at 21:00
Alexander TolkachevAlexander Tolkachev
3,3742919
add a comment |
If you want to see how SSH client tries private keys for authenticating against a server, you can run it with -v option.
In my case it looks like:
debug1: Trying private key: /Users/atolkachev/.ssh/id_rsa
debug1: Trying private key: /Users/atolkachev/.ssh/id_dsa
debug1: Trying private key: /Users/atolkachev/.ssh/id_ecdsa
debug1: Trying private key: /Users/atolkachev/.ssh/id_ed25519
answered May 11 '17 at 21:00
Alexander TolkachevAlexander Tolkachev
3,3742919
add a comment |
If you want to see how SSH client tries private keys for authenticating against a server, you can run it with -v option.
In my case it looks like:
debug1: Trying private key: /Users/atolkachev/.ssh/id_rsa
debug1: Trying private key: /Users/atolkachev/.ssh/id_dsa
debug1: Trying private key: /Users/atolkachev/.ssh/id_ecdsa
debug1: Trying private key: /Users/atolkachev/.ssh/id_ed25519
answered May 11 '17 at 21:00
Alexander TolkachevAlexander Tolkachev
3,3742919
If you want to see how SSH client tries private keys for authenticating against a server, you can run it with -v option.
In my case it looks like:
debug1: Trying private key: /Users/atolkachev/.ssh/id_rsa
debug1: Trying private key: /Users/atolkachev/.ssh/id_dsa
debug1: Trying private key: /Users/atolkachev/.ssh/id_ecdsa
debug1: Trying private key: /Users/atolkachev/.ssh/id_ed25519
answered May 11 '17 at 21:00
Alexander TolkachevAlexander Tolkachev
3,3742919
answered May 11 '17 at 21:00
Alexander TolkachevAlexander Tolkachev
3,3742919
answered May 11 '17 at 21:00
Alexander TolkachevAlexander Tolkachev
3,3742919
answered May 11 '17 at 21:00
Alexander TolkachevAlexander Tolkachev
3,3742919
3,3742919
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f849600%2fin-which-order-does-openssh-try-private-keys%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
if you run ssh with -v it will tell you what it is doing.
– Eddie Dunn
May 11 '17 at 20:35
1
You can see actually used order by running 'ssh -v hostname'
– AlexD
May 11 '17 at 20:37
I know about the -v, -vv etc. options, but I'd like to know before I try how ssh is going to behave. There must be a saner method to find out than trial and error.
– sschuberth
May 12 '17 at 6:14