Support public key in IdentityFile

[kwin]

Description

When using the 1Password SSH Agent (https://developer.1password.com/docs/ssh/agent/) it will by default propose all private keys found. As that often conflicts with the max authentication tries on servers (https://developer.1password.com/docs/ssh/agent/advanced#ssh-server-six-key-limit) or is even not supported at all (https://learn.microsoft.com/en-us/azure/devops/repos/git/use-ssh-keys-to-authenticate?view=azure-devops#q-i-have-multiple-ssh-keys-how-do-i-use-the-correct-ssh-key-for-azure-devops) there is a special mechanism devised outlined at https://developer.1password.com/docs/ssh/agent/advanced#match-key-with-host:

• The public key is set as IdentityFile (instead of the private one)
• Then the SSH agent is used with https://datatracker.ietf.org/doc/html/draft-miller-ssh-agent#section-3.6 and the given public key from the config only which will figure out the according private key for signing

(Usually all public keys in no specific order are used against the server which will request a signature if it recognizes the given public key)

Motivation

The same approach seems to be used by other password managers like KeePass XC (https://keepassxc.org/docs/#faq-ssh-agent-openssh). It is supported in IntelliJ already fine: https://youtrack.jetbrains.com/issue/IDEA-249562/SSH-wont-connect-with-public-key-in-IdentityFile

Alternatives considered

Exporting private keys to the filesystem is less secure than directly reusing it from a vault of a password manager but obviously works as workaround.

Additional context

No response

[kwin]

Maybe this is just an issue with interpreting the IdentityFile from the SSH config. What I see is that the server just rejects the authentication (but it works fine from the command line). This is despite the fact that the agent is triggered. Seems that somehow the wrong private key is taken. Is there any log level I can use to trace which identityfile has been used in Egit?

[kwin]

The issue is in https://github.com/eclipse-jgit/jgit/blob/c35deb6d8e0dfee8138a2e9eec7d384fd6ed162e/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java#L330 which tries to figure out the according public key by just appending .pub to the IdentityFile value. Once such a file is there (with identical contents to the one from IdentityFile everything works fine).

[tomaswolf]

Gerrit change 1177073 was merged.

[kwin]

@tomaswolf I don't see the commit yet in https://github.com/eclipse-jgit/jgit/tree/stable-6.9 (only in master branch). Can you make sure this is cherry-picked so that it really appears in the upcoming 6.9.0?

[tomaswolf]

It's business as usual. Both branches still have pom version 6.9.0-SNAPSHOT. Which means a merge of master to stable-6.9 will happen before the release.