IdentityFile vs IdentitiesOnly

Darren Tucker dtucker at
Wed Apr 3 06:59:46 AEDT 2019

On Tue, 2 Apr 2019 at 14:50, Harald Dunkel <harald.dunkel at> wrote:
> My client is 7.4 or newer, but the peers might be many years old.
> The oldest I found was version 6.0 on AIX.

In this case the version of the server doesn't matter, only the client.

> "AddKeysToAgent yes" is set.

Ah, this might be the reason, see below.

> ??? I have seen ssh-agent as a transparen means to avoid the same
> password dialog again and again. ssh chooses which keys to try,

That's true, however the it chooses the order[0] in which to try them
based in part on which ones are already in the agent.

> The "Host" constructs in the config file make sure that options set
> for one host don't affect others.

It's a bit more complicated than that.  For example you can have
wildcards that match multiple hosts, and some directives are not
strict overrides.

> You mean this not the case for IdentityFile?

IdentityFile directives append to a list[1], and by default the list
has multiple entries for the various key types.  Quoting

             It is possible to have multiple identity files specified in con‐
             figuration files; all these identities will be tried in sequence.
             Multiple IdentityFile directives will add to the list of identi‐
             ties tried (this behaviour differs from that of other configura‐
             tion directives).

> If I drop ssh-agent support, will ssh try *other* keys in a different sequence?

Possibly.   it'll depend on a few variables.


Darren Tucker (dtucker at
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list