With ssh -i <private key filename> you can instruct ssh to use an extra private key to try authentication.
The documentation is not clear on how to explicitly use only that key.
Asked
Active
Viewed 2.6e+01k times
169
Herman van Rink
- 4,105
- 3
- 12
- 10
3 Answers
228
You can use the IdentitiesOnly option:
ssh -o "IdentitiesOnly=yes" -i <private key filename> <hostname>
from the man page for ssh_config(5):
IdentitiesOnly
Specifies that ssh(1) should only use the configured authentication identity and certificate files (either the default files, or those explicitly config‐
ured in the ssh_config files or passed on the ssh(1) command-line), even if ssh-agent(1) or a PKCS11Provider or SecurityKeyProvider offers more identi‐
ties. The argument to this keyword must be yes or no (the default). This option is intended for situations where ssh-agent offers many different identi‐
ties.
Cosmay
- 3
Herman van Rink
- 4,105
- 3
- 12
- 10
22
An alternative could be to generate a pair of keys using
ssh-keygen
and create a special configuration for the specified host and corresponding private key
Edit ~/.ssh/config
Host handy_server
HostName x.y.z.w
IdentityFile ~/.ssh/handy
IdentitiesOnly yes
User userk
Port 22
Herman van Rink
- 4,105
- 3
- 12
- 10
UserK
- 349
-
Yes IdentityFile should point to the private key file. Now updated. – Herman van Rink Sep 08 '22 at 06:01
-
This doesn't answer the question, since all identify files in the config will be attempted, for example "HostName *" entries. From the ssh_config man page: "It is possible to have multiple identity files specified in configuration files; all these identities will be tried in sequence." – brandon Oct 18 '23 at 05:46
-
1@brandon This seems to answer the question of "Howto force ssh to use a specific private key?" since it the
IdentityFileis the specific private key you're using. I didn't specify theHostNamefor my entry in my config file and it didn't seem to matter.This is a better answer than the accepted one since I just wanted to copy + paste stuff to my ~/.ssh/config file and modify accordingly. Sometimes doing everything from command line is a bit overkill imo.
– hellatan Oct 19 '23 at 20:39 -
@hellatan, It uses all applicable identity files, as stated in the man page, rather than a specific one. See my replies to my answer below for details. It worked for you because it tries all of them, including the right one. You can use -v to see all the files it tried. Maybe it only tried one in your specific setup, but, but it will attempt others, rather than just a specific one, which can cause a failure in some cases (like "too many attempts"). – brandon Jan 04 '24 at 23:35
17
The accepted answer is incorrect, since all identity files in the default config will also be used in addition to those specified with the -i arguments. This can be a problem if the device you're connecting to has an authentication attempt limit that can be exceeded before eventually getting to the correct key.
To force it to use the single private key file, and only that key, you can specify a nonexistent config file with the -F argument:
ssh -F /dev/null -o IdentitiesOnly=yes -i <private key filename> <hostname>
Using the -v argument will show the keys being used. You should now see that only one is used. Look for "Will attempt key: " lines.
brandon
- 179
-
3Seconding this, the accepted answer still tried my ~/.ssh/id_ed25519 file, while this one only tries the given key. See also @rogerovo comment on the accepted answer. – dtech Apr 05 '23 at 11:24
-
1Adding
-Fseems to be only needed if you explicitly set an IdentityFile in your config. In that case adding-o "IdentityFile=/dev/null"might be a safer option, not losing any other config you might have. – Herman van Rink Apr 05 '23 at 19:59 -
1@Peregrino69, the man page for ssh_config correctly states that only identity files configured will be used for the connection, for any config file used. The problem is, the default config file (~./ssh/config) is used by default, requiring the -F to specify a different config, and not use the default. Many of us have "Host *" type entries in our default config, for devices without fixed IPs.
See the
– brandon Apr 06 '23 at 22:35sshman page for details, since -F is a ansshargument. -
2@HermanvanRink, I just double checked, and this doesn't work. As the ssh_config man page states, "It is possible to have multiple identity files specified in configuration files; all these identities will be tried in sequence.". Without -F pointing to a different file, the default (usually ~/.ssh/config) is used on top of any -o options (see
sshman page for -F argument). If there are matching entries in that default config, like 'Host *', they will all be used. -v shows the configuration files loaded, and the identify files used. – brandon Apr 06 '23 at 22:37
-o "IdentitiesOnly=yes"bit to preventssh-agentfrom overriding the private key specified. – user2708667 Mar 19 '19 at 20:10-vto yoursshcommand to know which key is being used (add morevif one is not enough) – 2072 Apr 07 '21 at 08:43.ssh/id_rsawhich I have not specified with-i. Querstion as stated in title is not answered by this answer. – thomas Sep 07 '22 at 23:37-ioption to specify which key to use. – Herman van Rink Sep 08 '22 at 05:58-o "IdentitiesOnly=yes" -i <private key filename>, defaultIdentityFilekeys in .ssh/config will be used before the identity specified. rogerovo said the same thing in 2014 – Matthew Feb 21 '23 at 06:41.ssh/configmove any defaultIdentityFileentries inside aHost * !<hostname>block. Then those identities will not be used when connecting to<hostname>but will still be used by default – Matthew Feb 21 '23 at 06:50