With ssh -i <private key filename> you can instruct ssh to use an extra private key to try authentication.
The documentation is not clear on how to explicitly use only that key.
Asked
Active
Viewed 4.2e+01k times
210
Laurent FAVOLE
- 131
Herman van Rink
- 5,020
3 Answers
276
You can use the IdentitiesOnly option:
ssh -o "IdentitiesOnly=yes" -i <private key filename> <hostname>
from the man page for ssh_config(5):
IdentitiesOnly
Specifies that ssh(1) should only use the configured authentication identity and certificate files (either the default files, or those explicitly config‐
ured in the ssh_config files or passed on the ssh(1) command-line), even if ssh-agent(1) or a PKCS11Provider or SecurityKeyProvider offers more identi‐
ties. The argument to this keyword must be yes or no (the default). This option is intended for situations where ssh-agent offers many different identi‐
ties.
Cosmay
- 3
Herman van Rink
- 5,020
33
An alternative could be to generate a pair of keys using
ssh-keygen
and create a special configuration for the specified host and corresponding private key
Edit ~/.ssh/config
Host handy_server
HostName x.y.z.w
IdentityFile ~/.ssh/handy
IdentitiesOnly yes
User userk
Port 22
Herman van Rink
- 5,020
UserK
- 459
31
The accepted answer is incorrect, since all identity files in the default config will also be used in addition to those specified with the -i arguments. This can be a problem if the device you're connecting to has an authentication attempt limit that can be exceeded before eventually getting to the correct key.
To force it to use the single private key file, and only that key, you can specify a nonexistent config file with the -F argument:
ssh -F /dev/null -o IdentitiesOnly=yes -i <private key filename> <hostname>
Using the -v argument will show the keys being used. You should now see that only one is used. Look for "Will attempt key: " lines.
brandon
- 419