Ordering of key offers with "ssh -i"

Darren Tucker dtucker at zip.com.au
Sun Jul 26 09:41:49 EST 2009

Tim Jackson wrote:
> Hi
> Is it expected behaviour that when using "ssh -i", the key specified in 
> the "-i" option is only sent to the server *after* trying all other keys 
> in ~/.ssh ? I couldn't find anything about this in the manual, and it 
> seems like surprising behaviour to me. It can be the cause of unexpected 
> failures in some cases, if a server has MaxAuthTries set to a value 
> which is less than the number of keys that the client has available.

What you're looking for is, from ssh_config(5):

       Specifies that ssh(1) should only use the authentication identity
       files configured in the ssh_config files, even if ssh-agent(1)
       offers more identities.  The argument to this keyword must be
       ``yes'' or ``no''.  This option is intended for situations where
       ssh-agent offers many different identities.  The default is

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list