Closed kwin closed 7 months ago
Maybe this is just an issue with interpreting the IdentityFile
from the SSH config. What I see is that the server just rejects the authentication (but it works fine from the command line). This is despite the fact that the agent is triggered. Seems that somehow the wrong private key is taken. Is there any log level I can use to trace which identityfile has been used in Egit?
The issue is in https://github.com/eclipse-jgit/jgit/blob/c35deb6d8e0dfee8138a2e9eec7d384fd6ed162e/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java#L330 which tries to figure out the according public key by just appending .pub
to the IdentityFile
value. Once such a file is there (with identical contents to the one from IdentityFile
everything works fine).
Gerrit change 1177073 was merged.
@tomaswolf I don't see the commit yet in https://github.com/eclipse-jgit/jgit/tree/stable-6.9 (only in master
branch). Can you make sure this is cherry-picked so that it really appears in the upcoming 6.9.0?
It's business as usual. Both branches still have pom version 6.9.0-SNAPSHOT. Which means a merge of master to stable-6.9 will happen before the release.
Description
When using the 1Password SSH Agent (https://developer.1password.com/docs/ssh/agent/) it will by default propose all private keys found. As that often conflicts with the max authentication tries on servers (https://developer.1password.com/docs/ssh/agent/advanced#ssh-server-six-key-limit) or is even not supported at all (https://learn.microsoft.com/en-us/azure/devops/repos/git/use-ssh-keys-to-authenticate?view=azure-devops#q-i-have-multiple-ssh-keys-how-do-i-use-the-correct-ssh-key-for-azure-devops) there is a special mechanism devised outlined at https://developer.1password.com/docs/ssh/agent/advanced#match-key-with-host:
IdentityFile
(instead of the private one)(Usually all public keys in no specific order are used against the server which will request a signature if it recognizes the given public key)
Motivation
The same approach seems to be used by other password managers like KeePass XC (https://keepassxc.org/docs/#faq-ssh-agent-openssh). It is supported in IntelliJ already fine: https://youtrack.jetbrains.com/issue/IDEA-249562/SSH-wont-connect-with-public-key-in-IdentityFile
Alternatives considered
Exporting private keys to the filesystem is less secure than directly reusing it from a vault of a password manager but obviously works as workaround.
Additional context
No response