ssh '-i' flag not using the provided key to authenticate

I’ve realized over the past few months that the ssh’s command flag "-i" (which refers to specify an identity file) doesn’t work properly when I try to authenticate to some server.

From what I understood, I could use this flag to specify an ssh key to authenticate to the server, avoiding the need to test over each key added to my agent and possibly overflow the connection attempts.

What I’m trying now is to change the user to authenticate to git (the question is not git specific), and what is happening is this:

  • I have two ssh keys that authenticate to github, let’s call them user1.pem and user2.pem.
  • user1.pem authenticates to user1 in github and user2.pem authenticates to user2.
  • I run the command "ssh -T [email protected]", it authenticates to user1.
  • I run the command "ssh -T -i ~/.ssh/user2.pem [email protected]", it continues to authenticate to user1.

There’s no problem at all with the keys, both have been added to the agent and they have the correct file permissions.
To circumvent this I had to remove all the keys from my agent and re-add only the user2.pem, then it authenticated to user2.

Just to reiterate, this is NOT git specific, as I had this problem with common linux servers as well, and I couldn’t find any solution besides configuring the hosts in the ~/.ssh/config file. I’m using git as example just because it is easier to test.

Am I using "ssh -i" flag in the wrong way?

Super User Asked by Teodoro on November 26, 2021

1 Answers

One Answer

From the descrition of your problem, this is related to (the absence of) this option seen in man ssh_config:


Specifies that ssh(1) should only use the authentication identity and certificate files explicitly configured in the ssh_config files or passed on the ssh(1) command-line, even if ssh-agent(1) or a PKCS11Provider offers more identities. The argument to this keyword must be yes or no (the default). This option is intended for situations where ssh-agent offers many different identities.

You are also probably enabling the AddKeysToAgent option (which is handy) which will automatically keep user1 loaded in the agent after first use.

So you should run this:

ssh -T -o IdentitiesOnly=yes -i ~/.ssh/user2.pem [email protected]

This will prevent the identity for user1 to be ever considered for authentication and force the use of the identity for user2.

Alternately (but not so useful) unsetting the environment variable SSH_AUTH_SOCK will render the ssh agent unavailable to the command. This would have a similar result, except you'd be asked each time the passphrase again instead of the agent providing the decrypted key itself in the former case once loaded.

Answered by A.B on November 26, 2021

Add your own answers!

Related Questions

Establish OpenVPN connection to server behind carrier grade NAT

1  Asked on November 18, 2021 by simplex123


grub rescue error: symbol ‘grub_strchrnul’ not found

1  Asked on November 18, 2021 by fahad-alduraibi


What is a NBN “FTTC Connection Device”?

2  Asked on November 18, 2021 by jmcph4


Get error while opening Zoom

0  Asked on November 18, 2021 by mohamed-nazeek


How to make neofetch run instantly?

1  Asked on November 18, 2021 by i28v


VMWare Not Starting even with Device Guard Disabled

0  Asked on November 18, 2021 by 3therk1ll


Do Motherboards limit RAM per stick?

1  Asked on November 18, 2021 by johhny-johnny


Plesk (or similar) admin panel for NodeJS hosting

1  Asked on November 16, 2021 by ruben-rutten


Ask a Question

Get help from others!

© 2022 All rights reserved.