The -J option of ssh allows connecting via a "jump" host. However, I am unable to specify a key to use for the jump host on the command line. Command: > ssh -i keyfile -J user@bastion.host user@final.host Expected behavior: ssh authenticates to jumphost with key in keyfile, then proceeds to connect to final host. Final host may use same or different key. Actual behavior: user@bastion.host: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). ssh_exchange_identification: Connection closed by remote host Using verbose options it is clear that keyfile is never offered to the bastion host during authentication. Adding -o AddKeysToAgent=yes has no affect. Putting AddKeysToAgent in ssh config file also has no affect. It seems clear that any options relating to keys are ignored when connecting to the jumphost. The only way to have a keyfile for the jumphost is to pre-add it to the ssh-agent with ssh-add, or modify the ssh config file. There are use cases where this is not desirable (eg use in scripts, keys are rotated or expired often, ssh-agent is not running, local host account is shared, etc). The intuitive behavior would be for the -i and relevant -o options to be applied before connecting to the jumphost.
I see it the exact opposite way: the ssh command connects you to the final host and the jump host, being an option, doesn't receive any of the other options. Note that there may be multiple chained jumphosts (-J host1,host2) so it really isn't tenable to plumb all the command-line options through to them. We have to pick one or the other interpretations, and this is the one we've gone with. If you want specific configuration for a jump host, then you'll have to use ~/.ssh/config sorry.
closing resolved bugs as of 8.6p1 release