IdentityFile vs IdentitiesOnly

Harald Dunkel harald.dunkel at
Tue Apr 2 23:50:56 AEDT 2019

Hi Darren,

On 4/1/19 10:41 AM, Darren Tucker wrote:
> On Mon, 1 Apr 2019 at 08:12, Harald Dunkel <harald.dunkel at> wrote:
>> I've got a moderate number of keys in my ssh config file.
>> Problem: Very often I get an error message like
> [...]
>> The solution seems to be to set IdentitiesOnly, e.g.:
> [...]
>> Shouldn't an explicit IdentityFile (as in the example) *imply*
>> IdentitiesOnly?
> Probably not.  What version are you using?  Is this key in the agent
> or do you need to supply a passphrase?

My client is 7.4 or newer, but the peers might be many years old.
The oldest I found was version 6.0 on AIX.

"AddKeysToAgent yes" is set.

> For recent versions each key has an annotation that says whether or
> not the key file was supplied by the user (ie either in the config
> file or on the command line).  It should prefer keys that were both
> specified in the config *and* in the agent, and it should try them in
> the order they were supplied.  If you're running into a situation
> where this doesn't work, then it is likely you are either using a
> version prior to that behaviour or there's a bug in it.

??? I have seen ssh-agent as a transparen means to avoid the same
password dialog again and again. ssh chooses which keys to try,
looking at the host name/IP address on the command line. The "Host"
constructs in the config file make sure that options set for one
host don't affect others.

You mean this not the case for IdentityFile? If I drop ssh-agent
support, will ssh try *other* keys in a different sequence?


More information about the openssh-unix-dev mailing list