I have my SSH client config defined as follows:
AddKeysToAgent yes
ForwardAgent yes
AddressFamily inet
IdentityFile ~/.ssh/yubikey-01-res
IdentityFile ~/.ssh/yubikey-05-res
IdentityFile ~/.ssh/id_ed25519
Host github.com
IdentityFile ~/.ssh/id_ed25519
IdentitiesOnly yes
I need default connections to traverse the yubikeys first and if unavailable- use the ed25519 key.
For github.com I need to specifically use the ed25519 key, but it always defaults to the yubikeys whenever they are plugged in. I would assume that the keys specified per host have precedence over the root keys. Is this expected behavior?
~/.ssh ❯ ssh git@github.com -v
OpenSSH_9.2p1, OpenSSL 3.0.8 7 Feb 2023
debug1: Reading configuration data /home/user/.ssh/config
debug1: /home/user/.ssh/config line 25: Applying options for github.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to github.com [20.248.137.48] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/yubikey-01-res type 12
debug1: identity file /home/user/.ssh/yubikey-01-res-cert type -1
debug1: identity file /home/user/.ssh/yubikey-05-res type 12
debug1: identity file /home/user/.ssh/yubikey-05-res-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519 type 3
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.2
debug1: Remote protocol version 2.0, remote software version babeld-30fa67d5
debug1: compat_banner: no match: babeld-30fa67d5
debug1: Authenticating to github.com:22 as 'git'
debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU
debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'github.com' is known and matches the ED25519 host key. debug1: Found key in /home/user/.ssh/known_hosts:58
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 4 keys
debug1: Will attempt key: /home/user/.ssh/yubikey-01-res ED25519-SK SHA256:he6uVl0OF/kFNLgxJxBWp1LqFKqUeqGE7QBvXrMV32Y explicit authenticator agent
debug1: Will attempt key: /home/user/.ssh/yubikey-05-res ED25519-SK SHA256:Ris+zCkAuyo5TNMtSPPw95i50+qfrDpnctJX1VdXb04 explicit authenticator agent
debug1: Will attempt key: /home/user/.ssh/id_ed25519 ED25519 SHA256:4dewvZr3d9r9hEfDz1JyCpe4SedcFT32Purq88AyMhI explicit agent
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user/.ssh/yubikey-01-res ED25519-SK SHA256:he6uVl0OF/kFNLgxJxBWp1LqFKqUeqGE7QBvXrMV32Y explicit authenticator agent
debug1: Server accepts key: /home/user/.ssh/yubikey-01-res ED25519-SK SHA256:he6uVl0OF/kFNLgxJxBWp1LqFKqUeqGE7QBvXrMV32Y explicit authenticator agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: /home/user/.ssh/yubikey-05-res ED25519-SK SHA256:Ris+zCkAuyo5TNMtSPPw95i50+qfrDpnctJX1VdXb04 explicit authenticator agent
debug1: Server accepts key: /home/user/.ssh/yubikey-05-res ED25519-SK SHA256:Ris+zCkAuyo5TNMtSPPw95i50+qfrDpnctJX1VdXb04 explicit authenticator agent
sign_and_send_pubkey: signing failed for ED25519-SK "/home/user/.ssh/yubikey-05-res" from agent: agent refused operation
debug1: Offering public key: /home/user/.ssh/id_ed25519 ED25519 SHA256:4dewvZr3d9r9hEfDz1JyCpe4SedcFT32Purq88AyMhI explicit agent
debug1: Server accepts key: /home/user/.ssh/id_ed25519 ED25519 SHA256:4dewvZr3d9r9hEfDz1JyCpe4SedcFT32Purq88AyMhI explicit agent
Authenticated to github.com ([20.248.137.48]:22) using "publickey".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Entering interactive session.
debug1: pledge: filesystem
>Solution :
Don’t specify the default keys "globally"; list them after the Github-specific key following a Host * directive.
AddKeysToAgent yes
ForwardAgent yes
AddressFamily inet
Host github.com
IdentityFile ~/.ssh/id_ed25519
IdentitiesOnly yes
Host *
IdentityFile ~/.ssh/yubikey-01-res
IdentityFile ~/.ssh/yubikey-05-res
(Host directives remain in effect until the next Host or Match directive. There’s no real difference between things listed "globally" at the top of the file before any Host or Match directive, and things after a Host *; you just need Host * to "terminated" the preceding Host github.com directive. Indentation is just for readability, not scoping.)