How to prioritize explicit ssh key from commandline over ssh-agent keys?

Question

I have a bunch of ssh keys loaded semi-permanently into ssh-agent. ssh-add -L lists 6 keys.

I also have other keys which are stored separately; let's say, on a USB stick. I exactly don't want to keep them handy all the time. Let me call one of them square.key.

The problem is this: on those occasions when I need square.key, I'm okay with plugging the USB stick and specifying -i /path/to/square.key — but it doesn't work. -v reveals why:

debug1: Will attempt key: /home/ulidtko/.ssh/key1 RSA SHA256:<redacted> agent
debug1: Will attempt key: /home/ulidtko/.ssh/key2 RSA SHA256:<redacted> agent
debug1: Will attempt key: key3@localhost ED25519 SHA256:<redacted> agent
debug1: Will attempt key: key4@localhost RSA SHA256:<redacted> agent
debug1: Will attempt key: key5@localhost ed25519 ED25519 SHA256:<redacted> agent
debug1: Will attempt key: key6@localhost ECDSA SHA256:<redacted> agent
debug1: Will attempt key: /path/to/square.key ED25519 SHA256:<redacted> explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/ulidtko/.ssh/key1 RSA SHA256:<redacted> agent
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /home/ulidtko/.ssh/key2 RSA SHA256:<redacted> agent
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: key3@localhost ED25519 SHA256:<redacted> agent
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: key4@localhost RSA SHA256:<redacted> agent
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: key5@localhost ed25519 ED25519 SHA256:<redacted> agent
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: key6@localhost ECDSA SHA256:<redacted> agent
Received disconnect from 46.101.206.106 port 22:2: Too many authentication failures
Disconnected from 46.101.206.106 port 22

Somehow, ssh thinks it's a great idea to try every key from ssh-agent BEFORE the square.key which I pass manually on the command line. And so this triggers Too many authentication failures on the server; square.key is never offered.

Is there a way to override or configure this order? I'd like to continue using ssh-agent, but ssh to respect my manually-set commandline flags, and try the -i "explicit" keys first.

FYI, this is an open issue at bugzilla.mindrot.org/show_bug.cgi?id=3153 — ddulaney, Feb 16, 2022 at 15:29

ulidtko · Accepted Answer · 2023-01-31 23:53:15Z

6

IdentitiesOnly=yes is probably an appropriate option.That is, using only the specified Identities.

ssh -i /path/to/square.key -o IdentitiesOnly=yes remote.server.net

or

Host remote.server.net
  IdentityFile /path/to/square.key
  IdentitiesOnly yes

edited Jan 31 at 23:53

ulidtko

4384 silver badges13 bronze badges

answered Jul 12, 2021 at 7:34

nelson

1761 silver badge1 bronze badge

Enabling IdentitiesOnly=yes globally has satisfactorily resolved the issue for me, at last. It kinda makes not much sense to have "default keys" configured for authenticating to any server you'd ssh into — this is a stupid idea, yet is the default of openssh. Now, with global IdentitiesOnly=yes, each server-key association is explicitly configured in my Host foobar.example.net blocks, and ssh won't even try any keys before I configure it permanently or temporarily ask via -i. This is exactly what I needed.
– ulidtko
Jan 31 at 11:01
Sadly IdentitiesOnly doesn't help when what you're trying to do is pass an alternate key for a host that does have an IdentityFile set in the config file (e.g. multiple GitHub or BitBucket accounts, since they identify what user you are by the SSH key you present). :(
– Ben
May 9 at 2:42

Add a comment |

ulidtko · Accepted Answer · 2020-07-10 15:40:13Z

8

One workaround is to pass IdentityAgent=none, either on the same commandline:

ssh -i /path/to/square.key -o IdentityAgent=none remote.server.net

or equivalently, via the ~/.ssh/config:

Host remote.server.net
    IdentityFile /path/to/square.key
    IdentityAgent none

answered Jul 10, 2020 at 15:40

ulidtko

4384 silver badges13 bronze badges

Add a comment |

Arthur · Accepted Answer · 2023-01-28 01:26:17Z

-1

# .ssh/config

host default
hostname 185.xxx.xxx.xxx
user root
port 10xxx
IdentityFile .ssh/debian
IdentityAgent none

answered Jan 28 at 1:26

Arthur

1

Add a comment |

Stack Exchange Network

How to prioritize explicit ssh key from commandline over ssh-agent keys?

3 Answers 3

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
ssh
ssh-keys
ssh-agent
.

Hot Network Questions

How to prioritize explicit ssh key from commandline over ssh-agent keys?

3 Answers 3

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged sshssh-keysssh-agent.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
ssh
ssh-keys
ssh-agent
.