Release v1.3.2

Twiddle ssh auth, use password before --key-file flag before homedir before agent
2025-07-13 22:23:20 +02:00 · 2025-07-13 22:21:27 +02:00
3 changed files with 29 additions and 10 deletions
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ipng-router-backup (1.3.2) stable; urgency=low
+
+  * Fix --key-file authentication priority issue
+  * Prioritize explicit key file over SSH agent authentication
+
+ -- Pim van Pelt <pim@ipng.ch>  Sun, 13 Jul 2025 23:30:00 +0100
+
 ipng-router-backup (1.3.1) stable; urgency=low

  * Fix golangci-lint issues, replace deprecated io/ioutil
--- a/src/main.go
+++ b/src/main.go
@@ -12,7 +12,7 @@ import (
 	"github.com/spf13/cobra"
 )

-const Version = "1.3.1"
+const Version = "1.3.2"

 func processDevice(hostname string, deviceConfig Device, commands []string, excludePatterns []string, password, keyFile string, port int, outputDir string) bool {
 	// Create backup instance
@@ -84,6 +84,9 @@ func main() {
 					fmt.Printf("Using SSH key: %s\n", keyFile)
 					hasAuth++
 				}
+			} else {
+				fmt.Printf("Using specified SSH key: %s\n", keyFile)
+				hasAuth++
 			}
 			if password != "" {
 				fmt.Println("Using --password for authentication")
--- a/src/ssh.go
+++ b/src/ssh.go
@@ -103,11 +103,6 @@ func (rb *RouterBackup) Connect() error {
 		config.KeyExchanges = finalAlgorithms
 	}

-	// Note: Cipher overrides disabled - Go SSH library defaults work better
-	// if ciphers := ssh_config.Get(rb.hostname, "Ciphers"); ciphers != "" {
-	//	 config.Ciphers = ...
-	// }
-
 	if macs := ssh_config.Get(rb.hostname, "MACs"); macs != "" {
 		macList := strings.Split(macs, ",")
 		for i, mac := range macList {
@@ -126,15 +121,19 @@ func (rb *RouterBackup) Connect() error {
 		config.HostKeyAlgorithms = finalAlgorithms
 	}

-	// Try SSH agent first if available
+	// If explicit key file is provided, prioritize it over SSH agent
+	var keyFileAuth ssh.AuthMethod
+	var agentAuth ssh.AuthMethod
+
+	// Try SSH agent if available (but don't add to config.Auth yet)
 	if sshAuthSock := os.Getenv("SSH_AUTH_SOCK"); sshAuthSock != "" {
 		if conn, err := net.Dial("unix", sshAuthSock); err == nil {
 			agentClient := agent.NewClient(conn)
-			config.Auth = []ssh.AuthMethod{ssh.PublicKeysCallback(agentClient.Signers)}
+			agentAuth = ssh.PublicKeysCallback(agentClient.Signers)
 		}
 	}

-	// If SSH agent didn't work, try key file
+	// Try key file
 	if keyFile != "" {
 		// Expand ~ in keyFile path
 		if strings.HasPrefix(keyFile, "~/") {
@@ -150,11 +149,21 @@ func (rb *RouterBackup) Connect() error {
 			if err != nil {
 				fmt.Printf("%s: Unable to parse private key: %v\n", rb.hostname, err)
 			} else {
-				config.Auth = append(config.Auth, ssh.PublicKeys(signer))
+				keyFileAuth = ssh.PublicKeys(signer)
 			}
 		}
 	}

+	// Prioritize auth methods: explicit key file first, then SSH agent
+	if keyFileAuth != nil {
+		config.Auth = []ssh.AuthMethod{keyFileAuth}
+		if agentAuth != nil {
+			config.Auth = append(config.Auth, agentAuth)
+		}
+	} else if agentAuth != nil {
+		config.Auth = []ssh.AuthMethod{agentAuth}
+	}
+
 	// Fall back to password if available
 	if rb.password != "" {
 		config.Auth = append(config.Auth, ssh.Password(rb.password))
Author	SHA1	Message	Date
Pim van Pelt	57fc8d3630	Release v1.3.2	2025-07-13 22:23:20 +02:00
Pim van Pelt	64212fce8c	Twiddle ssh auth, use password before --key-file flag before homedir before agent	2025-07-13 22:21:27 +02:00