This ssh command will use any key the client can find through it's normal means (i.e. agent, and ~/.ssh/id_{algo}): ssh -F /dev/null -o IdentitiesOnly=yes -i /something/that/doesnt/exist hostname It will also ignore IdentitiesOnly=yes if no identity file is specified: ssh -F /dev/null -o IdentitiesOnly=yes hostname I've tested this with: - OpenSSH_7.2p2 - OpenSSH_7.9p1 - OpenSSH_8.0p1 This contradicts the documentation, which states: Specifies that ssh(1) should only use the authentication identity and certificate files explicitly configured in the ssh_config files or passed on the ssh(1) command-line, even if ssh-agent(1) or a PKCS11Provider offers more identities.
Just discovered a workaround: ssh -F /dev/null -o IdentitiesOnly=yes -i /something/that/doesnt/exist -i /dev/null hostname This will cause ssh to fail with: Warning: Identity file /something/that/doesnt/exist not accessible: No such file or directory. Load key "/dev/null": invalid format hostname: Permission denied (publickey).
Thanks, I've clarified the documentation in commit 7047d5afe. IdentitiesOnly is intended mostly to limit which keys are tried from ssh-agent.
close bugs that were resolved in OpenSSH 8.5 release cycle