Currently the documentation for IdentitiesOnly states: "Specifies that ssh(1) should only use the authentication identity and certificate files explicitly configured in the ssh_config files or passed on the ssh(1) command-line..." This is inaccurate, as with no IdentityFile configuration in /etc/ssh/ssh_config or ~/.ssh/config, the *default* IdentityFile value (documented but not *explicitly configured* is used when IdentitiesOnly is set. This is compounded by the fact that the mechanism for setting IdentityFile to empty (using the special "none" string) is not documented (see https://bugzilla.mindrot.org/show_bug.cgi?id=2362). I suggest the following fixes: * Update the IdentityFile documentation to mention the "none" string. * Change the IdentitiesOnly documentation to say that it will use the *default* IdentityFile configuration if that parameter is not explicitly configured (and draw specific attention to this, as it's unlikely to be what the user wants if they specify IdentitiesOnly - I suggest recommending the above IdentityFile setting).
This was fixed last September in commit 7047d5afe3 and should be in OpenSSH 8.2
Hi, thanks for the update on this. As far as I can see, the special "none" string for IdentityFile still remains undocumented. So as a minimum, can you please make the following change: * in the IdentityFile section, mention the special "none" value. Additionally, a common use case for IdentitiesOnly is to set it to yes globally, and then set IdentityFile for each host, with the intention of *only* trying the explicitly configured key. However, this will not have the desired effect, since OpenSSH will still try (falling back on?) keys with standard names. For this reason, it would be helpful to add the following: * in the IdentitiesOnly section, mention also needing to set IdentityFile to none if the user does not want to fall back on SSH keys with standard names.