How to Use a Specific Forwarded SSH Key from SSH-Agent When Multiple Keys Are Present


2 views

When working with SSH agent forwarding, you might encounter an issue where the remote server tries all your forwarded keys instead of just the specific one you want to use. This becomes particularly problematic when:

  • You have many keys loaded in your local SSH agent
  • Different services require different keys (e.g., GitHub vs. production servers)
  • Servers enforce limits on authentication attempts

The SSH client on the remote host sees all your forwarded keys as available options. Without proper configuration, it will try them sequentially until either:

  1. Authentication succeeds
  2. The server rejects with "Too many authentication failures"

The key to solving this is combining two configuration directives:

Host github.com
  IdentityFile ~/.ssh/id_rsa.github
  IdentitiesOnly yes

However, there's a crucial detail often missed - the path must reference the forwarded key correctly.

Here's how to properly configure this:

# On your local machine (where keys are stored)
$ ssh-add ~/.ssh/id_rsa.github
$ ssh-add -L  # Verify the key is loaded

# On the remote machine's SSH config
$ cat >> ~/.ssh/config <<EOF
Host github.com
  IdentityFile /home/your_username/.ssh/id_rsa.github
  IdentitiesOnly yes
EOF

The (nil) output indicates SSH couldn't find the key at the specified path. When using agent forwarding:

  • The key isn't actually on the remote filesystem
  • You must reference it through the agent
  • The path in config should match how it appears in ssh-add -L

Here's a complete working example:

# First, check how your key appears in the agent
$ ssh-add -L
ssh-rsa AAAAB3Nza... /Users/yourname/.ssh/id_rsa.github

# Then use that exact path in remote config
$ cat >> ~/.ssh/config <<EOF
Host github.com
  IdentityFile /Users/yourname/.ssh/id_rsa.github
  IdentitiesOnly yes
EOF

For more dynamic control, you can use:

$ SSH_AUTH_SOCK=/tmp/ssh-agent.sock ssh -o IdentitiesOnly=yes -o IdentityFile=/path/to/key ...

If you're still having issues:

# Check what keys are being offered
ssh -T -vvv git@github.com 2>&1 | grep Offering

# Verify agent forwarding is working
ssh -A remote_host
ssh-add -L  # Should show your local keys

# Check config file permissions
chmod 600 ~/.ssh/config

Remember that agent forwarding has security implications:

  • Only forward to trusted hosts
  • Consider using -o ForwardAgent=yes per-connection instead of in config
  • For sensitive environments, investigate SSH certificate authentication

When working with SSH agent forwarding, you might encounter a frustrating behavior where all your SSH keys get offered to remote servers, not just the specific key you want to use. This happens because:

$ ssh -T -vvv git@github.com 2>&1 | grep Offering
debug1: Offering RSA public key: /Users/user/.ssh/id_rsa.linode2
debug1: Offering RSA public key: /Users/user/.ssh/id_rsa.helium
debug1: Offering RSA public key: /Users/user/.ssh/id_rsa.github

The server sees multiple authentication attempts and may respond with "Too many authentication failures".

Normally, you'd use IdentitiesOnly yes in your SSH config to restrict key usage:

Host github.com
  IdentityFile ~/.ssh/id_rsa.github
  IdentitiesOnly yes

But with agent forwarding, this fails because:

  1. The key path is local to your original machine (host A)
  2. The forwarded agent doesn't expose key paths to the intermediate host (host B)
  3. Host B can't resolve the local path from host A

Here's how to properly specify which forwarded key to use:

Host github.com
  IdentityFile none
  IdentitiesOnly yes
  IdentityAgent ~/.ssh/agent.sock

Key points:

  • IdentityFile none prevents local key file lookup
  • IdentitiesOnly yes restricts to specified keys
  • IdentityAgent points to your forwarded agent socket

For more control, consider setting up separate agents for different purposes:

# Start a dedicated agent for GitHub
eval $(ssh-agent -a ~/.ssh/github-agent.sock)
ssh-add ~/.ssh/id_rsa.github

# Then connect using this specific agent
ssh -o "IdentityAgent=~/.ssh/github-agent.sock" git@github.com

If you're still having issues, these commands help diagnose the problem:

# Check what keys are in your agent
ssh-add -L

# Verify agent forwarding is working
ssh -A intermediate-host 'echo $SSH_AUTH_SOCK'

# Test connection with verbose output
ssh -vvv git@github.com

Remember that agent forwarding has security implications:

  • Only forward to trusted hosts
  • Consider using ProxyJump instead when possible
  • Regularly review and clean your SSH keys with ssh-add -D

With these techniques, you can maintain both security and convenience when working with forwarded SSH keys.