Is there a way in ssh(1) to get the identity specified by -i to take precedence over what is already in the agent?
When six keys are added into ssh-agent(1), authentication is not possible with a seventh, or later, key even if that final key is pointed to by ssh(1) explicitly using -i. $ ssh-add -l 2048 f6:46:87:70:e2:c4:9d:7f:a0:08:26:76:aa:7e:c2:c2 test_key_1 (RSA) 2048 35:d7:21:d5:4c:3f:2d:d4:4b:89:c3:2f:a2:f4:3f:e4 test_key_2 (RSA) 2048 ab:94:cf:5e:c9:e9:81:b1:74:ec:8b:91:a5:e9:46:ea test_key_3 (RSA) 2048 4a:44:e1:b5:7c:eb:0b:21:09:87:b7:3d:86:19:6e:cf test_key_4 (RSA) 2048 5e:d6:0c:1b:c8:67:1d:f7:5c:34:09:bd:22:f6:0d:e1 test_key_5 (RSA) 2048 9a:7d:ab:1e:97:06:e1:06:ca:8e:40:62:32:8c:45:03 test_key_6 (RSA) $ ssh -i test_key_7 [email protected] Received disconnect from xx.yy.zz.aa: 2: Too many authentication failures for foo If a valid identity is in the first six, it is let through by the server. On the server side, MaxAuthTries can be increased beyond the default of 6 to allow more identities to be tried. It looks like the identities in the agent are tried first regardless of what the value of -i is with ssh(1) before -i is tried. The same goes for setting IdentityFile in ssh_config. This is with OpenSSH 6.3 from a recent snapshot on the client and 5.3-stable on the server. regards, /Lars
