Without checking deeper I'm unsure if keys listed in e.g. /etc/ssh/ssh_config are considered as "userprovided" but lets give this a shot.
Gladly the debug already contains "explicit" if id->userprovided is true. I usually get: debug1: Will attempt key: /home/paelzer/.ssh/id_rsa RSA ... agent debug1: Will attempt key: ubuntu@cpaelzer-bastion RSA ... agent debug1: Will attempt key: paelzer@lap RSA ... agent debug1: Will attempt key: pael...@swarm.naarz.dyndns.org RSA ... agent debug1: Will attempt key: /home/paelzer/.ssh/id_dsa debug1: Will attempt key: /home/paelzer/.ssh/id_ecdsa debug1: Will attempt key: /home/paelzer/.ssh/id_ecdsa_sk debug1: Will attempt key: /home/paelzer/.ssh/id_ed25519 debug1: Will attempt key: /home/paelzer/.ssh/id_ed25519_sk debug1: Will attempt key: /home/paelzer/.ssh/id_xmss with an -i set to a key that is in the agent, the defaults vanish. And since the key is listed & in the agent it is preferred already debug1: Will attempt key: /home/paelzer/.ssh/id_rsa.n RSA ... explicit agent debug1: Will attempt key: /home/paelzer/.ssh/id_rsa RSA ... agent debug1: Will attempt key: ubuntu@cpaelzer-bastion RSA ... agent debug1: Will attempt key: paelzer@lap RSA ... agent But if I create a new key and add it it is NOT preferrd (this is the bug in discussion here) debug1: Will attempt key: /home/paelzer/.ssh/id_rsa RSA ... agent debug1: Will attempt key: ubuntu@cpaelzer-bastion RSA ... agent debug1: Will attempt key: paelzer@lap RSA ... agent debug1: Will attempt key: pael...@swarm.naarz.dyndns.org RSA ... agent debug1: Will attempt key: /tmp/testkey RSA ... explicit The explicit one is down below in the order since it isn't in the agent. A final solution might want to insert them somewhere else than the very top and/or might want to do similar with certificates. But for the test the attached patch could be enough. ** Patch added: "experimental-1872145.debdiff" https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1872145/+attachment/5357863/+files/experimental-1872145.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872145 Title: explicit key offered after all agent keys, auth can fail before explicit key used To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1872145/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs