Hi,
I have a split ssh configuration where I use some app VMs to connect to remote servers using SSH whose keys are managed by another vm called key-vault.
In order to reduce risk of private key exposure, I keep only the public portion of the key in the .ssh folder of the app VM. The configuration part of the app vm is
Host foo
HostName foo
User user
IdentityFile /home/user/.ssh/id_ed25519_app1
AddKeysToAgent yes
PreferredAuthentications publickey,password
Given that the configuration states the file id_ed25519_app1
, that file resides in the key vault only. The app vm has id_ed25519_app1.pub
instead. Without the public part, split ssh did not work in my setup.
The policy for SshAgent and initializations at the AppVM are done.
In the working configuration. the key vault template is Fedora.
Whenever I invoke ssh user@foo
within the appVM, a pop-up appears to query the key vault, upon permission to use the key, the login is commenced by using the key, without me having to put the private key on the app vm. This is the workflow I have used happily for months.
However, when I change the template of key-vault to debian, this sequence breaks. I get the popup but cannot see the key, and the appvm complains that the key is not present.
no such identity: /home/user/.ssh/id_ed25519_app1
.
But the key is on the key vault and is registered by its ssh agent (ssh-add -L on the key vault lists the keys).
Both templates /etc/ssh configs are identical, except for the crypto policy addition on the fedora.
Is anyone using a similar setup with a debian key-vault
? How would you fix this error?
Thanks