Bug 448

Summary: ssh ignores key specified with -i if agent is running
Product: Portable OpenSSH Reporter: Don Marti <dmarti>
Component: sshAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED FIXED    
Severity: enhancement    
Priority: P2    
Version: -current   
Hardware: All   
OS: Linux   

Description Don Marti 2002-11-28 04:16:17 AEDT 
ssh -i special_key host

uses the key from ssh-agent, not the one specified with -i.

ssh -i special_key host
and 
env -u SSH_AUTH_SOCK ssh -i .ssh/special_key host

do different things.
Comment 1 Markus Friedl 2002-11-28 21:37:55 AEDT 
having -i automagically turning off the agent might break things.

unsetting SSH_AUTH_SOCK works fine.

so what should be done? new option for turning off the agent is a
bad idea, too.
Comment 2 Andrew Pimlott 2003-02-12 01:57:34 AEDT 
I'm not sure how you mean that turning off the agent might break things, but it
is obviously wrong for -i to be ignored.  Why can't you simply try keys
specified with -i before trying the agent?  You may need to lists of keys rather
than one: those explicitly requested, and those found by ssh.  The former are
tried before the agent.

At very least, this should be documented.  An option to turn off the agent might
be nice as well.
Comment 3 Markus Friedl 2003-02-12 04:16:52 AEDT 
the keys specified with -i are _NOT_ ignored, they are just tried
after the agent keys, like the documantion says.
Comment 4 Markus Friedl 2003-05-13 04:23:17 AEST 
for pubkey authentication try the user keys in the following order:
1. agent keys that are found in the config file
2. other agent keys
3. keys that are only listed in the config file
Comment 5 Damien Miller 2003-05-13 10:46:35 AEST 
FYI it is common to do:

IdentityFile none

in one's ~/.ssh/ssh_config to turn off searching of non-agent key files.
Comment 6 Damien Miller 2003-05-13 10:46:53 AEST 
oops, wrong bug
Comment 7 Damien Miller 2004-03-30 16:12:53 AEST 
Fixed:

revision 1.124
date: 2004/03/08 12:12:36;  author: djm;  state: Exp;  lines: +2 -2
   - markus@cvs.openbsd.org 2004/03/05 10:53:58
     [readconf.c readconf.h scp.1 sftp.1 ssh.1 ssh_config.5 sshconnect2.c]
     add IdentitiesOnly; ok djm@, pb@

> IdentitiesOnly
>     Specifies that ssh should only use the authentication identity
>     files configured in the ssh_config files, even if the ssh-agent
>     offers more identities.  The argument to this keyword must be
>     ``yes'' or ``no''.  This option is intented for situations where
>     ssh-agent offers many different identities.  The default is
>     ``no''.
Comment 8 Damien Miller 2004-04-14 12:24:18 AEST 
Mass change of RESOLVED bugs to CLOSED