Note: throughout this report, I'm using "id_rsa" (resp. "id_rsa.pub") as a stand-in for the default private (resp. public) key file. What this issue looks like when you run into it: me@myHost:~$ cp -p .ssh/id_rsa .ssh/id_rsa2 me@myHost:~$ ssh -i .ssh/id_rsa remoteHost # doesn't work me@myHost:~$ ssh -i .ssh/id_rsa2 remoteHost # works The only hint of exactly what is wrong (running with -v): debug1: Offering RSA public key: .ssh/id_rsa versus debug1: Trying private key: .ssh/id_rsa2 The cause: id_rsa.pub doesn't match id_rsa. The client offers id_rsa.pub to the remote host, is refused, and concludes that id_rsa won't match. Expected behaviour: the client should not assume that id_rsa.pub matches id_rsa. Either this could be checked, or id_rsa.pub could be generated from id_rsa every time. (This might seem like a trivial problem, but it took me and a colleague more than two hours to zero in on this and figure out. That looks vaguely like a lower bound if you consider the relevant ServerFault submissions.)
We added an explicit error for that recently. It still refuses to accept the key (by intention), but it tells you: https://anongit.mindrot.org/openssh.git/commit/?id=c4972d0a9bd6f898462906b4827e09b7caea2d9b That change will be in the openssh-7.6 release *** This bug has been marked as a duplicate of bug 2737 ***
closing resolved bugs as of 8.6p1 release