Why SSH always using first key accepted by server?

ssh linux ubuntu ssh-agent

I have three SSH key pairs that can be found via ssh-add -L; two keys are accepted by the remote server, but only one key can be used for GitHub, and I want to clone a GitHub repository via agent forwarding (hosting limits prevent deploy keys from working).

  • The following can't log into GitHub and I found SSH perhaps uses the first key [id_rsa] listed via ssh-add -L, ignoring my -i command, so agent forwarding only works after deleting key id_rsa: 
    ssh -A -tt -i ~/.ssh/id_rsa_github user@ip 'ssh -T [email protected]'
  • I tried adding IdentityFile and IdentitiesOnly to ~/.ssh/config, but it was also unsuccessful

Is this normal behavior and how do I force SSH to use a specific key?


I think it's normal. The agent already knows some keys. Then -i is an option of ssh, it doesn't directly affect the agent. When asked, ssh can add a key to the agent, but there is no straightforward way for it to remove keys or change their order. Moreover the agent is designed to serve to many clients. Some of them may need the keys you want to "hide" from this particular ssh connection. You need a somewhat different approach.

Run the local ssh as a subprocess of a dedicated agent and let ssh add the desired key to the agent. This way the key will be the only one known to the relevant agent. Processes that use the general purpose agent (if any) will not be affected.

ssh-agent ssh -A -tt -o AddKeysToAgent=yes -i ~/.ssh/id_rsa_github user@ip 'ssh -T [email protected]'

From man 1 ssh-agent:

command [arg ...]
If a command (and optional arguments) is given, this is executed as a subprocess of the agent. The agent exits automatically when the command given on the command line terminates.

[…]

[…] The agent starts a command under which its environment variables are exported […]

[…]

[…] ssh(1) looks at these environment variables and uses them to establish a connection to the agent.

The agent initially does not have any private keys. Keys are added using ssh-add(1) or by ssh(1) when AddKeysToAgent is set in ssh_config(5). […]

From man 1 ssh:

-o option
Can be used to give options in the format used in the configuration file.

From man 5 ssh_config:

AddKeysToAgent
Specifies whether keys should be automatically added to a running ssh-agent(1). If this option is set to yes and a key is loaded from a file, the key and its passphrase are added to the agent with the default lifetime, as if by ssh-add(1).

Related

How to install Chrome for just the current user?
How to override SSH default identity?
Why is my Windows 8 pc always powered on by moving mouse?
Windows 7 - How to run a script at shutdown but not at logoff
Is there a way to change the Windows 7 desktop background rotation time?
Collect temperature and fan speed with munin from Windows 7 PC?
How do I change my default shell on a remote server?
SSD for Visual Studio: Intel X25-m G2 or OCZ Vertex
Why does Google Chrome ignore "last_known_google_url" property in "Local State" file?
Why do I have different IP addresses on different websites?
Windows 7 fails to install
Suppress OneNote adding itself to startup items