16

I have a bunch of ssh keys loaded semi-permanently into ssh-agent. ssh-add -L lists 6 keys.

I also have other keys which are stored separately; let's say, on a USB stick. I exactly don't want to keep them handy all the time. Let me call one of them square.key.

The problem is this: on those occasions when I need square.key, I'm okay with plugging the USB stick and specifying -i /path/to/square.key — but it doesn't work. -v reveals why:

debug1: Will attempt key: /home/ulidtko/.ssh/key1 RSA SHA256:<redacted> agent debug1: Will attempt key: /home/ulidtko/.ssh/key2 RSA SHA256:<redacted> agent debug1: Will attempt key: key3@localhost ED25519 SHA256:<redacted> agent debug1: Will attempt key: key4@localhost RSA SHA256:<redacted> agent debug1: Will attempt key: key5@localhost ed25519 ED25519 SHA256:<redacted> agent debug1: Will attempt key: key6@localhost ECDSA SHA256:<redacted> agent debug1: Will attempt key: /path/to/square.key ED25519 SHA256:<redacted> explicit debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering public key: /home/ulidtko/.ssh/key1 RSA SHA256:<redacted> agent debug1: Authentications that can continue: publickey,password debug1: Offering public key: /home/ulidtko/.ssh/key2 RSA SHA256:<redacted> agent debug1: Authentications that can continue: publickey,password debug1: Offering public key: key3@localhost ED25519 SHA256:<redacted> agent debug1: Authentications that can continue: publickey,password debug1: Offering public key: key4@localhost RSA SHA256:<redacted> agent debug1: Authentications that can continue: publickey,password debug1: Offering public key: key5@localhost ed25519 ED25519 SHA256:<redacted> agent debug1: Authentications that can continue: publickey,password debug1: Offering public key: key6@localhost ECDSA SHA256:<redacted> agent Received disconnect from 46.101.206.106 port 22:2: Too many authentication failures Disconnected from 46.101.206.106 port 22

Somehow, ssh thinks it's a great idea to try every key from ssh-agent BEFORE the square.key which I pass manually on the command line. And so this triggers Too many authentication failures on the server; square.key is never offered.

Is there a way to override or configure this order? I'd like to continue using ssh-agent, but ssh to respect my manually-set commandline flags, and try the -i "explicit" keys first.

Improve this question
1

3 Answers 3

Reset to default
12

IdentitiesOnly=yes is probably an appropriate option.That is, using only the specified Identities.

ssh -i /path/to/square.key -o IdentitiesOnly=yes remote.server.net

or

Host remote.server.net IdentityFile /path/to/square.key IdentitiesOnly yes
Improve this answer
2
  • Enabling IdentitiesOnly=yes globally has satisfactorily resolved the issue for me, at last. It kinda makes not much sense to have "default keys" configured for authenticating to any server you'd ssh into — this is a stupid idea, yet is the default of openssh. Now, with global IdentitiesOnly=yes, each server-key association is explicitly configured in my Host foobar.example.net blocks, and ssh won't even try any keys before I configure it permanently or temporarily ask via -i. This is exactly what I needed. Commented Jan 31, 2023 at 11:01
  • Sadly IdentitiesOnly doesn't help when what you're trying to do is pass an alternate key for a host that does have an IdentityFile set in the config file (e.g. multiple GitHub or BitBucket accounts, since they identify what user you are by the SSH key you present). :( Commented May 9, 2023 at 2:42
11

One workaround is to pass IdentityAgent=none, either on the same commandline:

ssh -i /path/to/square.key -o IdentityAgent=none remote.server.net

or equivalently, via the ~/.ssh/config:

Host remote.server.net IdentityFile /path/to/square.key IdentityAgent none
Improve this answer
2
  • This worked for me when I had different keys in ~/.ssh/config and the command line, and wanted ssh to use the latter. Commented Aug 15, 2024 at 19:46
  • This worked for me! I have multiple github accounts. Default rule in ~/.ssh/config uses a separate key. By passing IdentityAgent=none in the ssh command the default is overridden successfully Commented Jul 23 at 11:33
-1 
# .ssh/config host default hostname 185.xxx.xxx.xxx user root port 10xxx IdentityFile .ssh/debian IdentityAgent none
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.