151

With ssh -i <private key filename> you can instruct ssh to use an extra private key to try authentication.

The documentation is not clear on how to explicitly use only that key.

Herman van Rink
  • 3,639
  • 3
  • 12
  • 10

3 Answers3

201

You can use the IdentitiesOnly option:

ssh -o "IdentitiesOnly=yes" -i <private key filename> <hostname>

from the man page for ssh_config(5):

  IdentitiesOnly
         Specifies that ssh(1) should only use the configured authentication identity and certificate files (either the default files, or those explicitly config‐
         ured in the ssh_config files or passed on the ssh(1) command-line), even if ssh-agent(1) or a PKCS11Provider or SecurityKeyProvider offers more identi‐
         ties.  The argument to this keyword must be yes or no (the default).  This option is intended for situations where ssh-agent offers many different identi‐
         ties.
Cosmay
  • 3
  • 2
Herman van Rink
  • 3,639
  • 3
  • 12
  • 10
  • 27
    actually 'IdentitiesOnly' disables prompting ssh-agent, but still offers defaults and ssh_config'd keys. – rogerovo Jun 25 '14 at 06:55
  • 5
    The important thing for me was that it does not look in e.g. my ~/.ssh directory for keys to try. – Herman van Rink Jun 25 '14 at 08:50
  • 3
    Thanks! I needed the `-o "IdentitiesOnly=yes"` bit to prevent `ssh-agent` from overriding the private key specified. – user2708667 Mar 19 '19 at 20:10
  • 3
    This is super handy for determining which key works with a given host when you have keys cached in ssh-agent. The only way I could figure it out without this flag was to use strace to dump the IO, which was pretty tedious. – Wil Jun 05 '19 at 16:11
  • 4
    You can also add `-v` to your `ssh` command to know which key is being used (add more `v` if one is not enough) – 2072 Apr 07 '21 at 08:43
  • Worked flawlessly for me on macOS Big Sur’s SSH implementation – Florian Wendelborn Apr 17 '22 at 20:57
  • 2
    Downvote because it tries using `.ssh/id_rsa` which I have not specified with `-i`. Querstion as stated in title is not answered by this answer. – thomas Sep 07 '22 at 23:37
  • That's why the answer suggests to use the `-i` option to specify which key to use. – Herman van Rink Sep 08 '22 at 05:58
  • 2
    Thomas is right, even with `-o "IdentitiesOnly=yes" -i `, default `IdentityFile` keys in .ssh/config will be used before the identity specified. rogerovo said the same thing in 2014 – Matthew Feb 21 '23 at 06:41
  • What worked for me is this answer https://superuser.com/a/859719/445352 : in `.ssh/config` move any default `IdentityFile` entries inside a `Host * !` block. Then those identities will not be used when connecting to `` but will still be used by default – Matthew Feb 21 '23 at 06:50
  • See [brandon's answer](https://superuser.com/a/1777452) for how to actually only use the specified key. – dtech Apr 05 '23 at 11:30
15

An alternative could be to generate a pair of keys using

ssh-keygen

and create a special configuration for the specified host and corresponding private key

Edit ~/.ssh/config

Host handy_server
    HostName x.y.z.w
    IdentityFile ~/.ssh/handy
    IdentitiesOnly yes
    User userk
    Port 22
Herman van Rink
  • 3,639
  • 3
  • 12
  • 10
UserK
  • 271
  • 2
  • 6
4

The accepted answer is incorrect, since all identity files in the default config will also be used in addition to those specified with the -i arguments. This can be a problem if the device you're connecting to has an authentication attempt limit that can be exceeded before eventually getting to the correct key.

To force it to use the single private key file, and only that key, you can specify a nonexistent config file with the -F argument:

ssh -F /dev/null -o IdentitiesOnly=yes -i <private key filename> <hostname>

Using the -v argument will show the keys being used. You should now see that only one is used. Look for "Will attempt key: " lines.

brandon
  • 51
  • 2
  • Welcome to SU. The [accepted answer](https://superuser.com/help/accepted-answers) quotes `ssh_config` man page, which very clearly states that only the configured key will be used in the connection. If you claim the man page is incorrect, you need to provide some resources that validate the claim. – Peregrino69 Apr 05 '23 at 06:26
  • 1
    Seconding this, the accepted answer still tried my ~/.ssh/id_ed25519 file, while this one only tries the given key. See also @rogerovo comment on the accepted answer. – dtech Apr 05 '23 at 11:24
  • 1
    Adding `-F` seems to be only needed if you explicitly set an IdentityFile in your config. In that case adding `-o "IdentityFile=/dev/null"` might be a safer option, not losing any other config you might have. – Herman van Rink Apr 05 '23 at 19:59
  • @Peregrino69, the man page for ssh_config correctly states that only identity files configured will be used for the connection, for any config file used. The problem is, the default config file (~./ssh/config) is used by default, requiring the -F to specify a different config, and *not* use the default. Many of us have "Host *" type entries in our default config, for devices without fixed IPs. See the `ssh` man page for details, since -F is a an `ssh` argument. – brandon Apr 06 '23 at 22:35
  • 1
    @HermanvanRink, I just double checked, and this doesn't work. As the ssh_config man page states, "It is possible to have multiple identity files specified in configuration files; all these identities will be tried in sequence.". Without -F pointing to a different file, the default (usually ~/.ssh/config) is used on top of any -o options (see `ssh` man page for -F argument). If there are matching entries in that default config, like 'Host *', they will all be used. -v shows the configuration files loaded, and the identify files used. – brandon Apr 06 '23 at 22:37