command= and arbitrary keys...

Cameron Simpson cs at
Sun Dec 2 09:49:52 EST 2001

On Sat, Dec 01, 2001 at 12:32:22AM -0500, Dave Wreski <dave at> wrote:
| I have an authorized_keys file with about twenty keys, most of which are
| prefaced with command="/usr/bin/rsync ...". If I put my host key at the
| top of the authorized_keys file, I can connect without a problem. If it
| gets put near the bottom, ssh seems to pick an arbitrary key, accepts my
| passphrase, and starts to run one of the rsync commands.

If it's what I suspect, answer these questions:

	Are all the keys different? (You have to say "yes" here.)

	Are you using an ssh-agent at the calling end? ("You want "no" here,
	and a "-i keyfile" in the ssh call.)

This is, to my mind, a great failing in ssh: if you have an agent then
the -i option is as good as ignored - any keys in the agent will still
be considered for use in the connection. To this end I have a script
called nphssh here:

that I use for this kind of thing. You need to get no-ssh-agent as well
from the same page.

Basically you want to run the ssh for the specific key _with a -i and
_without_ an ssh-agent in its environment, thus these wrappers.

Cameron Simpson, DoD#743        cs at

If you lie to the compiler, it will get its revenge.	- Henry Spencer

More information about the rsync mailing list