# limit ssh-agent to known hosts [SOLVED]

## meyerm

Hi,

I'm using password encrypted ssh-keys to authenticate on a lot of servers. Depending on the group (like company A, company B, university, private, etc.) I'm using a different key with different passwords. So ssh-agent is a very nice helper.

But when I now try to connect to a server which didn't get configured in my .ssh/config and want to login by using a simple password, ssh-agent first tries all my rsa-keys which leads to "too many authentication errors" in the end. So I have to use "-o PreferredAuthentications=password" whenever I face such a server. Using "Host *" and this option in .ssh/config does not work since it will match really all servers and not only not configured ones.

So, how can I tell ssh (or better: ssh-agent) to NOT try my keys on an unknown server or even better just try the default certificate ~/.ssh/id_rsa and ignore the rest (which are lying in project-folders, btw.)?

Thanks,

MLast edited by meyerm on Fri Mar 12, 2010 2:17 pm; edited 1 time in total

----------

## malern

Try adding "IdentitiesOnly yes" to your ssh_config file. That should force ssh to use the key from ~/.ssh/id_rsa and ignore the rest.

----------

## meyerm

Great, thank you! Looks exactly like what I wanted  :Smile: 

----------

## Hu

If you can write expressions that match the known machines, you can write an ssh_config of the form:

```

Host *.university

IdentityFile ~/.ssh/id_university

PreferredAuthentications publickey

Host *.private

IdentityFile ~/.ssh/id_personal

PreferredAuthentications publickey

Host *

PreferredAuthentications password
```

Since ssh works on a first-match-wins basis, it will honour the publickey request for hosts matching *.university and *.private, and fall through to the wildcard password request for other hosts.  This approach depends on the known hosts having sufficient commonality that you can match them without needing exhaustive host lists.  The IdentitiesOnly option looks ideal here, but I wanted to point this out in case you encounter other settings where you want one default for unknown hosts and a different default for known ones.  For example, you might want to forward X11 connections any time you connect to a known host, but not when you connect to an unknown host.

----------

## meyerm

Thank you very much for sharing your experience!

 *Hu wrote:*   

> If you can write expressions that match the known machines, you can write an ssh_config of the form...

 

That's exactly what I did in the beginning. Well, not exactly, I have a "Host alias"-entry for all of the hosts (since I have a few different settings, beginning with User and ending with ProxyCommand for several of them) and not a wildcard for each group. But...

 *Hu wrote:*   

> Since ssh works on a first-match-wins basis,

 

...this didn't work for me. I have the "Host *" entry at the end of the file and now even my manually configured hosts are asked for a password-authentication (which will fail with most of them). Shouldn't hosts with a fitting alias match and therefore ignore the "Host *"-settings?

My conclusion was that "Host *" will always be used, not on a first-match but on a rules-for-all basis. Perhaps I did sth. wrong? I'm on openssh 5.4_p1.

----------

## Hu

 *meyerm wrote:*   

> That's exactly what I did in the beginning. Well, not exactly, I have a "Host alias"-entry for all of the hosts (since I have a few different settings, beginning with User and ending with ProxyCommand for several of them) and not a wildcard for each group. But...

 It is legal to have multiple Host stanzas match the same machine.  You could write:

```

Host *.university

User mystudentname

Host edge.university

LocalForward 9234:127.0.0.1:9234
```

This would use mystudentname for all hosts at university.  It would also use a port forwarding for edge.university, but not for any other system in the .university domain.

 *meyerm wrote:*   

>  *Hu wrote:*   Since ssh works on a first-match-wins basis, ...this didn't work for me. I have the "Host *" entry at the end of the file and now even my manually configured hosts are asked for a password-authentication (which will fail with most of them). Shouldn't hosts with a fitting alias match and therefore ignore the "Host *"-settings?
> 
> My conclusion was that "Host *" will always be used, not on a first-match but on a rules-for-all basis. Perhaps I did sth. wrong? I'm on openssh 5.4_p1.

 First match wins for each option.  Since you put PreferredAuthentications password in the Host * block, every host which should not use password authentication must match a prior block which explicitly states PreferredAuthentications publickey.  It is not sufficient to write:

```
Host known

User myname

Host *

PreferredAuthentications password
```

 and expect to have Host known ignore the options in the Host * block.  Instead, write it as I showed before.  This is a bit more verbose, unfortunately.  However, you can use the ability to specify multiple globs to minimize repeated blocks.  You could write:

```
Host *.university *.personal *.work

PreferredAuthentications publickey

ForwardX11 yes

ControlMaster auto

Host *.university

User mystudentname

Host *.personal

User myprivatename

ForwardX11Trusted yes

Host *.work

User myemployeename

Host *

PreferredAuthentications password

ForwardX11 no
```

----------

## meyerm

 *Hu wrote:*   

> It is legal to have multiple Host stanzas match the same machine. ... First match wins for each option.

 

Ah! Now everything makes sense.

Thank you very much for the very detailed and elaborated answer.

----------

