How to Fix SSH Offering Wrong Identity Key When Multiple Keys Are Configured


2 views

When working with multiple SSH identities for different purposes (like regular and administrative access to Git repositories), you might encounter situations where SSH stubbornly offers the wrong key despite explicit configuration.

In your case, the SSH client keeps offering id_alvaro_mantra when connecting to gitadmin.gammu.com, even though you've specifically configured id_gitolite_mantra in your ~/.ssh/config:

Host gitadmin.gammu.com
    User git
    IdentityFile /home/alvaro/.ssh/id_gitolite_mantra

The SSH client follows a specific order when trying authentication methods:

1. Keys specified via -i option
2. Keys specified in IdentityFile directives in config
3. Default keys (id_rsa, id_ecdsa, etc.)

However, there's an important behavior to understand: SSH will try ALL keys that the server might accept, unless explicitly told not to.

Add these directives to your problematic Host block:

Host gitadmin.gammu.com
    User git
    IdentityFile /home/alvaro/.ssh/id_gitolite_mantra
    IdentitiesOnly yes
    PreferredAuthentications publickey

The key options here are:

  • IdentitiesOnly yes - Only use the identities explicitly configured
  • PreferredAuthentications publickey - Skip other auth methods

Run with verbose output to confirm:

ssh -v gitadmin.gammu.com

You should now see only your specified key being offered:

debug1: Offering public key: /home/alvaro/.ssh/id_gitolite_mantra RSA SHA256:...

If you're using ssh-agent, you can manage which keys are added:

# Remove all keys
ssh-add -D

# Add only the specific key needed
ssh-add ~/.ssh/id_gitolite_mantra

Check your server's /etc/ssh/sshd_config for these settings:

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

And ensure your authorized_keys file has the correct public keys for each user.

If issues persist:

  1. Verify file permissions (600 for private keys, 644 for public)
  2. Check for typos in hostnames in ~/.ssh/config
  3. Test with absolute paths for IdentityFile
  4. Clear known_hosts entries if you've changed server keys

When working with multiple SSH keys for different purposes, you might encounter situations where SSH stubbornly offers the wrong key despite explicit configuration. This commonly happens when:

  • Multiple keys exist in your ~/.ssh directory
  • SSH agent is managing some keys
  • The server accepts multiple keys for authentication

From your verbose output, we can see the key offering sequence:

debug2: key: /home/alvaro/.ssh/id_alvaro_mantra (0x7f7cb6c0fbc0)
debug2: key: /home/alvaro/.ssh/id_gitolite_mantra (0x7f7cb6c044d0)
debug1: Offering RSA public key: /home/alvaro/.ssh/id_alvaro_mantra

The SSH client is following its internal preference order when multiple valid keys exist.

Here are several reliable solutions:

1. Strict Host Configuration

Modify your ~/.ssh/config to be more specific:

Host gitadmin.gammu.com
    HostName gitadmin.gammu.com
    User git
    IdentityFile /home/alvaro/.ssh/id_gitolite_mantra
    IdentitiesOnly yes

The IdentitiesOnly yes directive is crucial - it tells SSH to only use the explicitly configured identity files.

2. Clear SSH Agent Cache

When using ssh-agent, cached keys might interfere:

ssh-add -D  # Remove all identities
ssh-add /home/alvaro/.ssh/id_gitolite_mantra  # Add only the needed key

3. Command-line Enforcement

Combine -i with -o to force behavior:

ssh -i /home/alvaro/.ssh/id_gitolite_mantra \
    -o IdentitiesOnly=yes \
    gitadmin.gammu.com

Check the server's authorized_keys file to ensure both keys are properly configured:

command="/usr/bin/gitolite-shell alvaro",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAA... alvaro@mantra
command="/usr/bin/gitolite-shell admin",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAA... admin@mantra
  • Verify file permissions (chmod 600 for private keys)
  • Check for typos in hostnames in config
  • Ensure no conflicting entries in ~/.ssh/known_hosts
  • Test with ssh -Tv for detailed connection flow

Create a test script to verify key usage:

#!/bin/bash
TEST_KEY="$1"
SERVER="$2"

OUTPUT=$(ssh -T -i "$TEST_KEY" -o IdentitiesOnly=yes "$SERVER" 2>&1)
if [[ "$OUTPUT" == *"successful authenticated"* ]]; then
    echo "✓ Key $TEST_KEY works for $SERVER"
else
    echo "✗ Key $TEST_KEY failed for $SERVER"
    echo "$OUTPUT"
fi

Usage: ./test_key.sh /path/to/key gitadmin.gammu.com