Ubuntu
openssh package

ssh does not honor -i switch with config file

Bug #673313 reported by Patrick Donnelly
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Confirmed
Low
Unassigned

Bug Description

(I'm using Ubuntu 10.10 amd64)
(batrick@neverwinter:~$ apt-cache policy ssh
ssh:
  Installed: 1:5.5p1-4ubuntu4
  Candidate: 1:5.5p1-4ubuntu4)

If the ~/.ssh/config file contains an IdentityFile, then ssh will ignore the one given on the command line switch (but still open and read it following strace). For example:

batrick@neverwinter:~$ cat $HOME/.ssh/config
CheckHostIP yes
Compression no
ConnectionAttempts 1
ConnectTimeout 5
HashKnownHosts yes
HostKeyAlgorithms ssh-rsa
IdentityFile ~/.ssh/id_rsa
UserKnownHostsFile ~/.ssh/known_hosts
PreferredAuthentications password,keyboard-interactive,publickey

Using this command:

batrick@neverwinter:~$ ssh -i /home/batrick/.ssh/id_rsa.subversion <email address hidden> svnserve -t

The .ssh/id_rsa.subversion private key is unencrypted and used exclusively for secure svn access to my server (the authorized_keys on the server only allows executing svnserve). I also have another encrypted key (the usual .ssh/id_rsa) that I use to ssh into the box for general use. The above command *always* tries to use this .ssh/id_rsa private key despite my specifying the -i switch on the command line.

Here is the debug output for the above command with -v for verbose output:

batrick@neverwinter:~$ ssh -v -i /home/batrick/.ssh/id_rsa.subversion <email address hidden> svnserve -t
OpenSSH_5.5p1 Debian-4ubuntu4, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/batrick/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to svn.batbytes.com [72.14.184.61] port 22.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /home/batrick/.ssh/id_rsa.subversion type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-4096
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-4096
debug1: identity file /home/batrick/.ssh/id_rsa.subversion-cert type -1
debug1: identity file /home/batrick/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-4096
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-4096
debug1: identity file /home/batrick/.ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'svn.batbytes.com' is known and matches the RSA host key.
debug1: Found key in /home/batrick/.ssh/known_hosts:25
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/batrick/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 533
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting <email address hidden>
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending command: svnserve -t
( success ( 2 2 ( ) ( edit-pipeline svndiff1 absent-entries commit-revprops depth log-revprops partial-replay ) ) ) ^Cdebug1: channel 0: free: client-session, nchannels 1
debug1: Killed by signal 2.

You can see when the actual negotiation takes place it sends the public key for /home/batrick/.ssh/id_rsa instead of /home/batrick/id_rsa.subversion. I would argue this is a bug since a command line switch should always override a config file.

For completeness, I'll show that commenting out that config file line solves the problem:

batrick@neverwinter:~$ cat .ssh/config
CheckHostIP yes
Compression no
ConnectionAttempts 1
ConnectTimeout 5
HashKnownHosts yes
HostKeyAlgorithms ssh-rsa
#IdentityFile ~/.ssh/id_rsa
UserKnownHostsFile ~/.ssh/known_hosts
PreferredAuthentications password,keyboard-interactive,publickey

batrick@neverwinter:~$ ssh -v -i /home/batrick/.ssh/id_rsa.subversion <email address hidden> svnserve -t
OpenSSH_5.5p1 Debian-4ubuntu4, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/batrick/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to svn.batbytes.com [72.14.184.61] port 22.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /home/batrick/.ssh/id_rsa.subversion type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-4096
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-4096
debug1: identity file /home/batrick/.ssh/id_rsa.subversion-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'svn.batbytes.com' is known and matches the RSA host key.
debug1: Found key in /home/batrick/.ssh/known_hosts:25
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/batrick/.ssh/id_rsa.subversion
debug1: Remote: Forced command: svnserve --tunnel --tunnel-user batrick --root /home/batrick/subversion/batrick
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Port forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Remote: User rc file execution disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Server accepts key: pkalg ssh-rsa blen 533
debug1: Remote: Forced command: svnserve --tunnel --tunnel-user batrick --root /home/batrick/subversion/batrick
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Port forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Remote: User rc file execution disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting <email address hidden>
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending command: svnserve -t
( success ( 2 2 ( ) ( edit-pipeline svndiff1 absent-entries commit-revprops depth log-revprops partial-replay ) ) ) ^Cdebug1: channel 0: free: client-session, nchannels 1
debug1: Killed by signal 2.

Revision history for this message
Mathias Gug (mathiaz) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Did you run into the same problem with previous version of Ubuntu (for example 10.04)?

Changed in openssh (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
Revision history for this message
Patrick Donnelly (batrick) wrote :

I do not think it existed in 10.04 but cannot recall exactly. I also don't have a means to test it right now.

Revision history for this message
Patrick Donnelly (batrick) wrote :

This problem does not exist on Debian 5.0 (I realize you wanted to check Ubuntu 10.04):

batrick@batbytes:~$ ssh -v
OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007

batrick@batbytes:~$ ssh -i /home/batrick/.ssh/id_rsa.subversion <email address hidden> svnserve -t
( success ( 2 2 ( ) ( edit-pipeline svndiff1 absent-entries commit-revprops depth log-revprops partial-replay ) ) ) quit

(I confirmed through debug output it doesn't attempt authentication using .ssh/id_rsa.) This version of ssh is 5.1 versus 5.5 on Ubuntu 10.10:

batrick@neverwinter:~$ ssh -v
OpenSSH_5.5p1 Debian-4ubuntu4, OpenSSL 0.9.8o 01 Jun 2010

Revision history for this message
Patrick Donnelly (batrick) wrote :

This bug report will soon expire. What is the status on this?

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for openssh (Ubuntu) because there has been no activity for 60 days.]

Changed in openssh (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Colin Watson (cjwatson) wrote :

This should never have been marked Incomplete in the first place.

Changed in openssh (Ubuntu):
status: Expired → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.