Ensure that OpenSSH client uses explicitly configured authentication identity even if authentication agent offers more identities.
Use IdentitiesOnly OpenSSH client parameter to control this behavior.
IdentitiesOnly
Specifies that ssh(1) should only use the authentication identity and certificate files explicitly configured in the ssh_config files or passed on the ssh(1)
command-line, even if ssh-agent(1) or a PKCS11Provider offers more identities. The argument to this keyword must be yes or no (the default). This option is
intended for situations where ssh-agent offers many different identities.
List all identities currently represented by the agent.
$ ssh-add -l 2048 SHA256:KRx5Bc6JPu2tN8Vs3m8j3pet2l9jk2lw7nG8Ko8xWT6E /home/milosz/.ssh/milosz (RSA) 2048 SHA256:2neJy5PhdL8b02RolxSBsZsyggGwMIgZa022ZMZsay3v /home/milosz/.ssh/ansible (RSA)
By default OpenSSH client will try every available identity until it either successfully matches the remote user or exhausts these identities.
$ ssh -o IdentitiesOnly=no internal.example.org -l ansible -vv : 2>&1 | awk '/Offering public key/ {print}; END{print}'
debug1: Offering public key: RSA SHA256:KRx5Bc6JPu2tN8Vs3m8j3pet2l9jk2lw7nG8Ko8xWT6E /home/milosz/.ssh/milosz
debug1: Offering public key: RSA SHA256:2neJy5PhdL8b02RolxSBsZsyggGwMIgZa022ZMZsay3v /home/milosz/.ssh/ansible
debug1: Exit status 0
OpenSSH client with enabled IdentitiesOnly option will try explicitly provided identities even if authentication agent offers more identities.
$ ssh -o IdentitiesOnly=yes internal.example.org -l ansible -vv : 2>&1 | awk '/Offering public key/ {print}; END{print}'
ansible@internal.example.org: Permission denied (publickey).
$ ssh -o IdentitiesOnly=yes internal.example.org -l ansible -i ~/.ssh/milosz -vv : 2>&1 | awk '/Offering public key/ {print}; END{print}'
debug1: Offering public key: RSA SHA256:KRx5Bc6JPu2tN8Vs3m8j3pet2l9jk2lw7nG8Ko8xWT6E /home/milosz/.ssh/milosz
ansible@internal.example.org: Permission denied (publickey).
$ ssh -o IdentitiesOnly=yes internal.example.org -l ansible -i ~/.ssh/ansible -vv : 2>&1 | awk '/Offering public key/ {print}; END{print}'
debug1: Offering public key: RSA SHA256:2neJy5PhdL8b02RolxSBsZsyggGwMIgZa022ZMZsay3v /home/milosz/.ssh/ansible
debug1: Exit status 0
Use ~/.ssh/config OpenSSH client configuration to transparently take advantage of this option.
# OpenSSH SSH client configuration Host * IdentitiesOnly yes Host internal.example.org Port 22 HostName 192.0.2.134 User ansible IdentityFile ~/.ssh/ansible Host jenkins_master HostName 10.20.5.2 Port 22 User admin IdentityFile ~/.ssh/jenkins_master Host jenkins_node_01 HostName 10.20.5.11 Port 22 User node_admin IdentityFile ~/.ssh/jenkins_node Host jenkins_node_02 HostName 10.20.5.12 Port 22 User node_admin IdentityFile ~/.ssh/jenkins_node
IdentitiesOnly option will be enforced, so remember to always define IdentityFile.
$ ssh internal.example.org -vv : 2>&1 | awk '/Offering public key/ {print}; END{print}'
debug1: Offering public key: RSA SHA256:2neJy5PhdL8b02RolxSBsZsyggGwMIgZa022ZMZsay3v /home/milosz/.ssh/ansible
debug1: Exit status 0
