Key selection optimization/steering

[zacwest]

I've got a handful of keys in Secretive, but enumerating through the possible public keys when connecting to git.sr.ht causes it to kick me out for exceeding authentication attempts before it reaches the key that I've added there.

I can see a few possible enhancements here, other than adding the pubkey as an IdentityFile in the ssh config:

1. Changing the order that keys are vended to ssh in
2. Somehow allowing binding a certain key to certain hosts or connection attempts

[ambis]

This is 100% my opinion: SSH already provides a way to solve the mentioned problem (namely IdentitiesOnly=yes and IdentityFile=key-created-in-Secretive-and-this-file-contains-its-public-key.pub.

I hope development work and efforts are directed towards features that have no other solution.

Peace.

[tylervick]

Adding my data point here: It was definitely unexpected to have my auth fail on what appeared to be an arbitrary identity limit..

Since MaxAuthTries defaults to 6, a host without an explicit identity defined will never succeed if the expected key is not in the first $MaxAuthTries keys returned by Secretive.

Not sure what the best solution is here, as I agree with @ambis that IdentityFile is fine solution. Perhaps documenting this alongside ssh config setup? The ability to reorder keys (if possible) may also be good, e.g. I always want my throwaway "wildcard" identity attempted first..

[ardera]

This is 100% my opinion: SSH already provides a way to solve the mentioned problem (namely IdentitiesOnly=yes and IdentityFile=key-created-in-Secretive-and-this-file-contains-its-public-key.pub.

I hope development work and efforts are directed towards features that have no other solution.

Peace.

In my case, I want to have 2 keys:

• one "unlocked" key, which can be used for github and connecting to some local devices I have.
• and one "locked" / touch id key, which can do everything the unlocked key can but also some special actions, like root on a remote machine using the PAM ssh_agent module. Ideally I'd want writing to git repos to require touch id as well, but it's not straightforward to separate that.

In that case I need both the unlocked and locked key to be attempted. But because I set up my locked key first, it'll try that first and I always need to touch id. And because I can't reorder, I now need to create a new locked key so it's after my unlocked key and redeploy that to every device and service I use (which is roughly 30mins work in my case). If I could reorder keys, it'd just be a single drag & drop.

It's not too hard to work around but still, super inconvenient in my case. Other than that, I'm really thankful for this app and all the hard work you put into it!