ssh-agent is ignored when with "IdentitiesOnly yes" config file setting

[bersbersbers]

"OpenSSH for Windows" version
8.1.0.0

Server OperatingSystem
Linux

Client OperatingSystem
Windows 10 Pro

What is failing
When using IdentitiesOnly yes in an SSH config, ssh.exe always asks for the encryption key of a an encrypted authentication key, even if

• this key is loaded in ssh-agent and
• AddKeysToAgent yes is set in the same config files (even though the key is added to the agent).
  I do not think this is intended behavior.

This behavior has been described in #1133 (comment), but that issue has been closed, probably because there were a host of tangent issues discussed.

Expected output
The key should be obtainted from the ssh-agent.

Actual output
It is not.

[bbeckford]

I'm also having this issue on Windows 10.

If I leave out IdentitiesOnly I am not asked for a passphrase, if I add IdentitiesOnly yes I am prompted for the passphrase.

If I then add say 15 identities to the config file without IdentitiesOnly, I get the "Too many authentication failures" error and I can't log in at all.

Is this being worked on at all?

[jondspicer]

I have also just encountered this issue.

Any update?

[Dean-NC]

Anybody home??

[MiroslavMikus]

Hey, I have exactly the same issue. There is a high possibility that this is by design...

From man:
IdentitiesOnly

Specifies that ssh(1) should only use the authentication identity files configured in the ssh_config files, even if ssh-agent(1) offers more identities. The argument to this keyword must be ''yes'' or ''no''. This option is intended for situations where ssh-agent offers many different identities. The default is ''no''.

I have found a nice post on superuser.com.

Also, the workaround would be: replace IdentitiesOnly yes with AddKeysToAgent yes and run ssh-agent -D. This will work just perfect until you add more than 4~5 keys (i guess that adding order matters) to the ssh-agent. 😩

The mystery is: why does the config ignore IdentityFile when the IdentitiesOnly is set to no...

[bersbersbers]

Specifies that ssh(1) should only use the authentication identity files configured in the ssh_config files, even if ssh-agent(1) offers more identities.

To me, this does not necessarily imply that ssh could not also ask ssh-agent for those authentication identity files which are configured (unless there is a technical hurdle that I am overlooking).

This will work just perfect until you add more than 4~5 keys

Which may very easily happen due to #1487.

[Tabiskabis]

In linux OpenSSH, i have 6+ keys in the ssh-agent, which usualy is too many. So i use -o IdentitiesOnly=yes -i publickey.pub (prepared the config file for convenience) to nail it down to only the private key in the agent that matches the specified public key.

OpenSSH man page:

IdentityFile may be used in conjunction with IdentitiesOnly to select which identities in an agent are offered during authentication