IdentityFile vs IdentitiesOnly

Darren Tucker dtucker at
Wed Apr 3 19:55:07 AEDT 2019

On Wed, 3 Apr 2019 at 09:51, Harald Dunkel <harald.dunkel at> wrote:
> Hi Darren,
> if I got this right, then using ssh-agent some memory effect appears
> to sneak in, besides the remembered passphrases.

The "memory effect" is probably AddKeysToAgent which I alluded to in
my previous message.  The first time you access that specific host,
the key is not in the agent so the keys that are cond in the agent are
tried first.  The second time it's in the agent so it's amongst the
first tried.

BTW the agent does not remember passphrases.  It decrypts and
remembers the unencrypted private key, and it never discloses the
private key, it only signs challenges with it when asked to.

> IMHO thats the bad part. The ssh client should stay in control which keys are tried in
> which sequence.

The client is in control.  Under most circumstances the keys loaded in
the agent are preferable because they do not require entering a
passphrase, and in the cases where this isn't desired there's the
IdentitiesOnly override you already found.

> Is there a risk that a key pair with a "poor" cipher is tried first,
> even though a key pair with a better cipher is mentioned first in the
> config file?

If by "ciphers" you mean public key algorithm types then no.

The keys are public/private key pairs and the server never knows the
private key.  Basically the way it works is the client asks "if I
prove I have the private key corresponding to this public key will you
let me in?", the server says yes or no, and if it says yes the client
proves it does by signing a challenge with the private key and sending
it to the server, which verifies the signature.

Separately the private keys are usually encrypted with a symmetric
cipher on the client side, but that is an implementation detail that
the server has no visibility into.

> Thanx for your detailed response

You're welcome.

Darren Tucker (dtucker at
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list