Bug 2221

Summary: Explicit identity files are being used after implicit files are attempted
Product: Portable OpenSSH Reporter: Michael Hall <mhall119>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED INVALID    
Severity: minor CC: djm
Priority: P5    
Version: 6.2p1   
Hardware: ix86   
OS: Linux   

Description Michael Hall 2014-04-05 07:14:18 AEDT 
When explicitly setting an identity, either via the -i commandline parameter or IdentityFile in the ssh config, these files are used only after any other identity files found in ~/.ssh/ have failed pubkey authentication.

When the remote host limits the number of pubkey authentication failures before disconnecting, this can lead to a situation where the explicit identity file is not even used when connecting to that host.
Comment 1 Damien Miller 2014-04-05 09:10:46 AEDT 
You need IdentitiesOnly=yes; from ssh_config(1):

  IdentitiesOnly
     Specifies that ssh(1) should only use the authentication identity
     files configured in the ssh_config files, even if ssh-agent(1) or
     a PKCS11Provider offers more identities.  The argument to this
     keyword must be “yes” or “no”.  This option is intended for situ‐
     ations where ssh-agent offers many different identities.  The
     default is “no”.
Comment 2 Damien Miller 2015-08-11 23:04:16 AEST 
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1