[I-19] SSH key priority option?

tonkku107 · February 2022

I currently have 2 personal SSH keys, one RSA and one Ed25519 and am in the process of moving from the RSA key to the Ed key. Previously, I used to have the Ed key defined first in the ssh config via IdentifyFile but based on the output of the PolicyKit window, 1Password is using the RSA key first. Would an option to order keys in order of preference be possible?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Lachy · February 2022

I also need support for IdentityFile, or at least an alternative solution. With ssh-agent, it's the only way I've found to have both work and personal accounts on Bitbucket that require distinct private keys. My ~/.ssh/config file is full of configs to know which keys are preferred on which hosts.

For example:

Host bitbucket.org
    IdentityFile ~/.ssh/id_ed25519 # Used for Work account

Host personal.bitbucket.org
    HostName bitbucket.org
    User git
    IdentityFile ~/.ssh/id_ecdsa # Used for Personal account

This has also helped me keep track of which public keys are with which services, because not everything supported Ed25519 when I set up the keys.

XIII · February 2022

Maybe you can use Match Key with Host?

Lachy · February 2022

That works. But since it doesn't support ECDSA, I generated an alternate Ed25519 key and used:

Host personal.bitbucket.org
    HostName bitbucket.org
    User git
    IdentityAgent ~/.1password/agent.sock
    IdentityFile ~/.ssh/id_ed25519-alternate.pub

Now I only have one remaining service using that ECDSA key because they still don't support Ed25519.

tonkku107 · February 2022

Despite setting up an IdentityFile with a public key instead of a private one, 1Password is still unlocking the RSA key first.

floris_1P · February 2022

Are you SSH'ing from the terminal or if not, what SSH client are you using?

tonkku107 · February 2022

I am using the terminal.

floris_1P · February 2022

Could you share (the relevant bits of) your SSH config and SSH_AUTH_SOCK=~/.1password/agent.sock ssh-add -l output?

tonkku107 · February 2022

SSH config:

IdentityFile ~/.ssh/id_ed25519.pub
IdentityFile ~/.ssh/id_rsa.pub

Host *
  IdentityAgent ~/.1password/agent.sock

Host aur.archlinux.org
  IdentityFile ~/.ssh/aur.pub
  User aur

[repeating below for different servers]
Host [server-alias]
  HostName [ip address]
  User [username]

4096 SHA256:Gu0EFgYpwVbLsqX5nDEL5V1jUfryMTe7FR8AUUsg4+E  (RSA)
256 SHA256:WdVfgHlD0C2HEq9y60mYiah/4lY8xhitK1wY1pvYKjk  (ED25519)
3072 SHA256:S9scRLenmjLjv4srb9n5dIkYu9MM2ihZDXVbLxW4KNg  (RSA)

For that host specific AUR configuration, it works perfectly and unlocks the aur key first.
The global configuration doesn't work and just uses the RSA key first anyway.

floris_1P · February 2022

I'm guessing that that's because you've specified multiple keys as IdentityFile. If you want control over which key is used, your SSH config should be more explicit. For example:

IdentityFile ~/.ssh/id_ed25519.pub

Host host-that-uses-the-rsa-key
  IdentityFile ~/.ssh/id_rsa.pub

Or even more explicit:

Host host-that-uses-the-rsa-key
  IdentityFile ~/.ssh/id_rsa.pub

Host host-that-uses-the-ed25519-key
  IdentityFile ~/.ssh/id_ed25519.pub

tonkku107 · February 2022

SSH by default uses the keys in the order specified. I could go and mark which key to use for each host, but it would be far more convenient to have them apply globally apart from a few exceptions.

Specifying the order to try keys in would be a small quality of life feature. It could be used to demote a key to be a fallback that's used only when necessary and to just optimize the authentication speed to not waste time trying less frequently used keys.

[I-19] SSH key priority option?

Comments