3

I'm following the dual identity procedure for bitbucket:

I have 2 bitbucket accounts ccmcbeck and chrisbeck. The former is personal, the latter is work.

On my local Mac, I have this in my ~/.ssh/config

Host *.work.com
  User chris
  ForwardAgent yes
  IdentityFile ~/.ssh/work_dsa
Host bitbucket-personal
  HostName bitbucket.org
  User ccmcbeck
  ForwardAgent no
  IdentityFile ~/.ssh/bitbucket_ccmcbeck_rsa
Host bitbucket-work
  HostName bitbucket.org
  User chrisbeck
  ForwardAgent no
  IdentityFile ~/.ssh/bitbucket_chrisbeck_rsa

On my local Mac I ssh -T all is good, I get: 

$ ssh -T git@bitbucket-personal
logged in as ccmcbeck.
$ ssh -T git@bitbucket-work
logged in as chrisbeck.

On my local Mac, the ssh version is OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011

When I ssh foo.work.com to my Linux box, I get:

$ ssh-add -l
1024 ... /Users/chris/.ssh/work_dsa (DSA)
2048 ... /Users/chris/.ssh/bitbucket_ccmcbeck_rsa (RSA)
2048 ... /Users/chris/.ssh/bitbucket_chrisbeck_rsa (RSA)

On foo.work.com, I also have this in my ~/.ssh/config

Host bitbucket-personal
  HostName bitbucket.org
  User ccmcbeck
  ForwardAgent no
  IdentityFile ~/.ssh/bitbucket_ccmcbeck_rsa
Host bitbucket-work
  HostName bitbucket.org
  User chrisbeck
  ForwardAgent no
  IdentityFile ~/.ssh/bitbucket_chrisbeck_rsa

However, on foo.work.com when I ssh -T, it references the wrong User for git@bitbucket-work

$ ssh -T git@bitbucket-personal
logged in as ccmcbeck.
$ ssh -T git@bitbucket-work
logged in as ccmcbeck.

On foo.work.com, the ssh version is OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

Why is my configuration causing foo.work.com to reference the wrong User?

Chris Beck
  • 132
  • 6
  • FWIW, if I `ssh-add -d` my `bitbucket-personal` identity, then `foo.work.com` uses the correct `User` – Chris Beck Jun 07 '14 at 14:58
  • It also behaves the same on an AWS server that has `OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010` – Chris Beck Jun 07 '14 at 15:42
  • Looks like the order in which the keys are added makes a difference. IOW, `foo.work.com` uses the first one reported by `ssh-add -l`. – Chris Beck Jun 07 '14 at 15:54

1 Answers1

3

The most likely explanation seems to me that ssh-agent is using whatever key it has loaded at any time. You can drop this behavior by using the IdentitiesOnly directive in your config file, as follows: 

 Host bitbucket-personal
 HostName bitbucket.org
 User ccmcbeck
 ForwardAgent no
 IdentityFile ~/.ssh/bitbucket_ccmcbeck_rsa
 IdentitiesOnly yes

 Host bitbucket-work
 HostName bitbucket.org
 User chrisbeck
 ForwardAgent no
 IdentityFile ~/.ssh/bitbucket_chrisbeck_rsa
 IdentitiesOnly yes

From the ssh man page:

Specifies that ssh(1) should only use the authentication identity files configured in the ssh_config files, even if ssh-agent(1) offers more identities. The argument to this keyword must be ''yes'' or ''no''. This option is intended for situations where ssh-agent offers many different identities. The default is ''no''.

EDIT:

In your post there are these lines, toward the very end:

 debug1: SSH2_MSG_SERVICE_ACCEPT received
 debug2: key: /home/chrisb/.ssh/bitbucket_chrisbeck_rsa ((nil))
 debug1: Authentications that can continue: publickey

They clearly show this key was not accepted. This is why you always login as ccmcbeck: that key works, and without IdentitiesOnly yes, the client tried other keys until it found a working one. By introducing this restriction, we have at least clarified the nature of the problem.

Since from your Mac you do not seem to have such a problem, it must reside with the Linux client, and in particular the private key you are trying to use. Best thing is to generate a new one, local to Linux, and put its .pub counterpart among the authorized_keys. Hope this helps.

EDIT2:

...or you can follow this SuperUser answer to select the private key you wish to use by specifying its public counterpart from the forwarded agent. The answer still requires the use of the IdentitiesOnly yes option.

Community
  • 1
MariusMatutiae
  • 46,990
  • 12
  • 80
  • 129
  • I tried that and I get "permission denied" when I `ssh -T` to either alias. – Chris Beck Jun 09 '14 at 17:02
  • @ChrisBeck Could you be more specific? By running ssh with the **-v** flag, please. – MariusMatutiae Jun 09 '14 at 17:09
  • @ChrisBeck Please see my edit – MariusMatutiae Jun 09 '14 at 17:36
  • Thanks @MariusMatutiae. FWIW, both `ccmcbeck` and `chrisbeck` work if they are the first one in `ssh-add -l` without `IdentitiesOnly yes`. With `IdentitiesOnly yes` on `work.foo.com`, ssh appears to only look for local keys, not the keys passed via the ssh agent on my Mac. – Chris Beck Jun 09 '14 at 17:44
  • you were very close to the solution which is here http://superuser.com/questions/273037/using-the-identityfile-directive-in-ssh-config-when-agentforwarding-is-in-use. Additionally I needed to put the pub key on `work.foo.com`and reference that in the `~/.ssh/config`. If you'll update your answer, I'll accept – Chris Beck Jun 09 '14 at 17:56
  • @ChrisBeck Done, very concisely, because it is not my idea really. But you are a real gentleman. – MariusMatutiae Jun 09 '14 at 18:30