When I have IdentityFile set in ~/.ssh/config and multiple ssh keys added to my ssh-agent, ssh -i ... or ssh -o 'IdentityFile ....' tries keys from the ssh-agent before the keys I specified on the command-line. The key I passed on the command-line is a passwordless key that is command-limited on the remote end (limited to running git-upload-pack so I can git clone/fetch over ssh without a passphrase). One of the other keys in my ssh-agent is a password-protected, confirmation requiring key that is not-command-limited on the remote end. For now I'm working around this by unsetting SSH_AUTH_SOCK whenever I want to use the passwordless command-limited key. There is another use-case listed in this Debian bug: http://bugs.debian.org/513235
Does the IdentitiesOnly option not do what you want? From ssh_config(5): IdentitiesOnly Specifies that ssh(1) should only use the authentication identity files configured in the ssh_config files, even if ssh-agent(1) offers more identities. The argument to this keyword must be “yes” or “no”. This option is intended for situations where ssh- agent offers many different identities. The default is “no”.
In my case the password-protected key in ssh-agent is also the key referred to by IdentityFile, so IdentitiesOnly on the command-line nor in the config file isn't going to help here.
I'm not understanding your setup properly here. Could you explain it in a little detail? Are you saying that you have a password-protected, confirm-requiring key in the agent and also laying around passwordless on the filesystem? That seems ... self-defeating.
There are two keys: One is password-protected. This key is listed in the Hosts * IdentityFile in ~/.ssh/config and added to the ssh-agent with ssh-add -c, meaning it requires confirmation before use. The other is not password-protected. It is not added to the ssh-agent. Its use is command-limited on the server side to pulling from git repositories: command="/usr/bin/git-upload-pack ${SSH_ORIGINAL_COMMAND#* }",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa ... In order to use the passwordless key for git pull but not git push, I set GIT_SSH to a script that does this instead when connecting to a host that supports my passwordless key: unset SSH_AUTH_SOCK <--- This part is a workaround for this bug (2066) ssh -o 'ControlMaster auto' -o 'ControlPath ~/.ssh/git-control-%l->%r@%h:%p' -i ~/.ssh/my-git-key "$@"
(In reply to comment #4) [...] > unset SSH_AUTH_SOCK <--- This part is a workaround for this bug > (2066) > ssh -o 'ControlMaster auto' -o 'ControlPath > ~/.ssh/git-control-%l->%r@%h:%p' -i ~/.ssh/my-git-key "$@" what happens if you remove the "unset" line and add "-o IdentitiesOnly=yes" to the command line?
Also, could you please attach (using "Add as an attachment") the output from ssh -vvv in each of the two cases you're describing?
I have the same issue, related to using gitolite to access Git repositories over SSH, see http://superuser.com/questions/570356/how-to-override-ssh-default-identity for a detailed description. I'm running the same OpenSSH client version: Debian 6.0p1-4. I have two keys that are accepted by the server: ~/.ssh/id_rsa and ~/.ssh/id_rsa_git, but I want to use the latter and I have set up the following in ~/.ssh/config: Host git Hostname router User gitolite ForwardX11 no ForwardAgent no GSSAPIAuthentication no IdentitiesOnly yes IdentityFile ~/.ssh/id_rsa_git When my key ~/.ssh/id_rsa is loaded in ssh-agent it is offered first (and accepted), while if I remove it from the agent, then ~/.ssh/id_rsa_git is offered and accepted. Specifying any of the additional options IdentitiesOnly=yes or -i ~/.ssh/id_rsa_git does not change the behaviour in either case. A related comment: in the documentation I cannot find whether it is possible to override the default IdentityFile's, nor if/how the order of specifying these influences the order in which the ssh client offers them.
Please try to reproduce this using openssh-6.2p1 with IdentitiesOnly=yes set and verbose output turned on ("ssh -vvv ..."). We can't debug this without this information.
I found that my reported problems were due to my own configuration errors. I had the following lines in my ~/.ssh/config: Host * IdentityFile ~/.ssh/id_dsa IdentityFile ~/.ssh/id_rsa Removing these made ssh connect with the expected keys, both for the current Debian Wheezy version 6.0p1 and version 6.2p1 installed from original sources. I'm sorry for the noise. Jaap
Created attachment 2260 [details] Log of SSH without agent running.
Sorry for replying again, but on second check there does seem to be a bug, even after removing the IdentityFile lines from the 'Host *' config. I'll attach the output of 'ssh -vvv git' in three different scenario's: - without ssh-agent running: connect using correct key - with ssh-agent and default ~/.ssh/id_{rsa,dsa} keys loaded: ~/.ssh/id_rsa is incorrectly used - with ssh-agent but ~/.ssh/id_rsa key removed from agent: connect using correct key Also attached a stripped-down version of my client config, exactly the version as used.
Created attachment 2261 [details] Log of SSH with ssh-agent and default keys loaded.
Created attachment 2262 [details] Log of SSH with ssh-agent and id_rsa removed.
Created attachment 2263 [details] ssh-config used
Your config doesn't have IdentitiesOnly set for the "Host git" case, so it is trying other keys from the agent. A bug isn't the best place to diagnose your config. Feel free to discuss further on the openssh-unix-dev mailing list, but I'll close this bug. If the discussions shows evidence of an error in IdentityFile or IdentitiesOnly then we can reopen the bug.
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1