Hi, I noticed that the ssh -i <keyfile> option is "ignored" in my case: On my server, I have two keys in .ssh/authorized_keys: command="echo A" ssh-rsa A... # Key A command="echo B" ssh-rsa B... # Key B Suppose these keys are stored on my client as A{,.pub} and B{,.pub}. Now the following situation: $ ssh-add -L ssh-rsa A... $ ssh -i B server A As you can see, when A is loaded in ssh-agent but B isn't, the connection is made with key A even when B is specifically requested. I looked around the source and found a few hints here and there (readconf.c:add_identity_files(), sshconnect2.c:pubkey_prepare(), the "userprovided" tag in the Options struct...), but overall it's unclear to me what the semantics of "-i" is actually meant to be. What I always expected from "-i" was that only the keys given with -i are tried, or at least these keys are tried first, irrespective of whether or not they are loaded into ssh-agent. I tried this with the versions from current Debian jessie, and also compiled the developer version 8ef691 from 2015-03-11 and got the same behaviour. Many regards, Jens Stimpfle _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev