From 79dac3ec7d53530564c701939b4b45c12000eb0d Mon Sep 17 00:00:00 2001 From: James Wu Date: Wed, 14 Mar 2018 11:50:04 -0700 Subject: [PATCH] add explicit public key naming for IdentitiesOnly usage --- README.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 78a0367..b6c98e9 100644 --- a/README.md +++ b/README.md @@ -1167,7 +1167,6 @@ export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" gpg-connect-agent updatestartuptty /bye ``` - ### Copy public key to server There is a `-L` option of `ssh-add` that lists public key parameters of all identities currently represented by the agent. Copy and paste the following output to the server authorized_keys file: @@ -1175,6 +1174,21 @@ There is a `-L` option of `ssh-add` that lists public key parameters of all iden $ ssh-add -L ssh-rsa AAAAB4NzaC1yc2EAAAADAQABAAACAz[...]zreOKM+HwpkHzcy9DQcVG2Nw== cardno:000605553211 +#### (Optional) Save public key for identity file configuration + +If `IdentitiesOnly yes` is used in your `.ssh/config` (for example [to avoid being fingerprinted by untrusted ssh servers](https://blog.filippo.io/ssh-whoami-filippo-io/)), `ssh` will not automatically enumerate public keys loaded into `ssh-agent` or `gpg-agent`. This means `publickey` authentication will not proceed unless explicitly named by `ssh -i [identity_file]` or in `.ssh/config` on a per-host basis. + +In the case of Yubikey usage, you do not have access to the private key, and `identity_file` can be pointed to the public key (`.pub`). + + $ ssh-add -L | grep "cardno:000605553211" > ~/.ssh/id_rsa_yubikey.pub + +Then, you can explicitly associate this Yubikey-stored key for used with the domain `github.com` (for example) as follows: + + $ cat << EOF >> ~/.ssh/config + Host github.com + IdentityFile ~/.ssh/id_rsa_yubikey.pub + EOF + ### Connect with public key authentication $ ssh git@github.com -vvv