阻止 ssh 客户端提供它能找到的所有公钥？

Question 1

根据手册页，这是预期的行为ssh_config：

 IdentityFile
         Specifies a file from which the user's DSA, ECDSA or DSA authentica‐
         tion identity is read.  The default is ~/.ssh/identity for protocol
         version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/id_rsa for
         protocol version 2.  Additionally, any identities represented by the
         authentication agent will be used for authentication.  

         [...]

         It is possible to have multiple identity files specified in configu‐
         ration files; all these identities will be tried in sequence.  Mul‐
         tiple IdentityFile directives will add to the list of identities
         tried (this behaviour differs from that of other configuration
         directives).

基本上，指定IdentityFiles 只是将密钥添加到 SSH 代理已向客户端呈现的当前列表中。

尝试在文件底部使用此方法覆盖此行为.ssh/config：

Host *
  IdentitiesOnly yes

您还可以在主机级别覆盖此设置，例如：

Host foo
  User bar
  IdentityFile /path/to/key
  IdentitiesOnly yes

Answer

根据手册页，这是预期的行为ssh_config：

 IdentityFile
         Specifies a file from which the user's DSA, ECDSA or DSA authentica‐
         tion identity is read.  The default is ~/.ssh/identity for protocol
         version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/id_rsa for
         protocol version 2.  Additionally, any identities represented by the
         authentication agent will be used for authentication.  

         [...]

         It is possible to have multiple identity files specified in configu‐
         ration files; all these identities will be tried in sequence.  Mul‐
         tiple IdentityFile directives will add to the list of identities
         tried (this behaviour differs from that of other configuration
         directives).

基本上，指定IdentityFiles 只是将密钥添加到 SSH 代理已向客户端呈现的当前列表中。

尝试在文件底部使用此方法覆盖此行为.ssh/config：

Host *
  IdentitiesOnly yes

您还可以在主机级别覆盖此设置，例如：

Host foo
  User bar
  IdentityFile /path/to/key
  IdentitiesOnly yes

Question 2

尽管其他人已经通过基于配置的解决方案暗示了这一点，但可能值得指出的是，您可以使用以下命令在命令行上轻松执行一次性操作：

ssh -o 'PubkeyAuthentication no' myhostname.mydomain

Answer

尽管其他人已经通过基于配置的解决方案暗示了这一点，但可能值得指出的是，您可以使用以下命令在命令行上轻松执行一次性操作：

ssh -o 'PubkeyAuthentication no' myhostname.mydomain

Question 3

按照 James Sneeringer 的解决方案，您可能只想设置一个 ssh_config ，如下所示：

Host *.mycompany.com
  IdentityFile .ssh/id_dsa_mycompany_main

Host *.mycustomer.com
  IdentityFile .ssh/id_dsa_mycustomer

Host *
  RSAAuthentication no #this should be up top, avoid ssh1 at all costs
  PubkeyAuthentication no

如果您使用特定密钥连接到不在公共域中的多台机器，请考虑在您自己的 DNS 中为它们提供所有 CNAME。我对所有客户系统都这样做。

Answer

按照 James Sneeringer 的解决方案，您可能只想设置一个 ssh_config ，如下所示：

Host *.mycompany.com
  IdentityFile .ssh/id_dsa_mycompany_main

Host *.mycustomer.com
  IdentityFile .ssh/id_dsa_mycustomer

Host *
  RSAAuthentication no #this should be up top, avoid ssh1 at all costs
  PubkeyAuthentication no

如果您使用特定密钥连接到不在公共域中的多台机器，请考虑在您自己的 DNS 中为它们提供所有 CNAME。我对所有客户系统都这样做。

Question 4

有一个IdentitiesOnly选项您可以设置为yes，在-o IdentitiesOnly=yes命令行上或IdentitiesOnly yes在中~/.ssh/config。

从ssh_config(5)手册页中：

 IdentitiesOnly
         Specifies that ssh(1) should only use the configured
         authentication identity and certificate files (either the default
         files, or those explicitly configured in the ssh_config files or
         passed on the ssh(1) command-line)

但是！如果您没有指定任何IdentifyFile内容（无论是在中 ~/.ssh/config还是在命令行中使用某些选项），则仍将使用-i默认身份文件！~/.ssh/id_rsa~/.ssh/id_ed25519

所以如果你真的想使用 ssh仅有的明确指定的键，还需要指定一些无效的IdentifyFile，例如-i /dev/null。

例如：

Host *.example.com
    IdentityFile ~/.ssh/id_rsa.example.com

Host *.example.org
    IdentityFile ~/.ssh/id_rsa.example.org

# Important! The `Host *` block must come **last**, because subsequent `Host`
# blocks cannot override any preceding `Host *` settings. See ssh_config(5):
# “For each parameter, the first obtained value will be used”
Host *
    IdentitiesOnly yes
    IdentityFile /dev/null

Answer

有一个IdentitiesOnly选项您可以设置为yes，在-o IdentitiesOnly=yes命令行上或IdentitiesOnly yes在中~/.ssh/config。

从ssh_config(5)手册页中：

 IdentitiesOnly
         Specifies that ssh(1) should only use the configured
         authentication identity and certificate files (either the default
         files, or those explicitly configured in the ssh_config files or
         passed on the ssh(1) command-line)

但是！如果您没有指定任何IdentifyFile内容（无论是在中 ~/.ssh/config还是在命令行中使用某些选项），则仍将使用-i默认身份文件！~/.ssh/id_rsa~/.ssh/id_ed25519

所以如果你真的想使用 ssh仅有的明确指定的键，还需要指定一些无效的IdentifyFile，例如-i /dev/null。

例如：

Host *.example.com
    IdentityFile ~/.ssh/id_rsa.example.com

Host *.example.org
    IdentityFile ~/.ssh/id_rsa.example.org

# Important! The `Host *` block must come **last**, because subsequent `Host`
# blocks cannot override any preceding `Host *` settings. See ssh_config(5):
# “For each parameter, the first obtained value will be used”
Host *
    IdentitiesOnly yes
    IdentityFile /dev/null

阻止 ssh 客户端提供它能找到的所有公钥？

答案1

答案2

答案3

答案4

相关内容