So; you regularly use ssh to connect to a few different hosts – using different private keys for each user/server combination.
Your ~/.ssh/ directory already has a few named private keys in it – you add a couple, bring the total to 5 or more…
ls ~/.ssh/ dave_mars.id_dsa sue_deimos.id_dsa steve_deimos.id_dsa irene_phobos.id_dsa lee_phobos.id_dsa sue_mars.id_dsa red_deimos.id_dsa
….and try connecting:
ssh -i .ssh/sue_mars.id_dsa -l sue mars
You’re denied, with an error like:
Received disconnect from {mars' IP address} 2: Too many authentication failures for sue.
Which is confusing; this may be the first time you’ve tried connecting to phobos with sue’s account.
Add the verbose switch to you ssh command:
ssh -v -i .ssh/sue_phobos.id_dsa -l sue phobos
You’ll see this at the end of the negotiation:
debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: .ssh/dave_mars.id_dsa debug1: Authentications that can continue: publickey debug1: Offering RSA public key: .ssh/sue_deimos.id_dsa debug1: Authentications that can continue: publickey debug1: Offering RSA public key: .ssh/steve_deimos.id_dsa debug1: Authentications that can continue: publickey debug1: Offering RSA public key: .ssh/irene_phobos. id_dsa debug1: Authentications that can continue; publickey debug1: Offering RSA public key: .ssh/lee_phobos. id_dsa Received disconnect from {phobos' IP address}: 2: Too many authentication failures for sue
Your local ssh agent is offering any key it can find, pre-loaded and cached from the .ssh directory (prove this caching by moving the other named keys somewhere else on your system – they’ll still be offered). The -i flag is a more of a guideline or hint to the agent.
To force the ssh client to offer only the key specified by -i, use the
-o IdentitiesOnly=yes
option:
ssh -o IdentitiesOnly=yes -i .ssh/sue_phobos.id_dsa -l sue phobos
or:
ssh -o "IdentitiesOnly yes" -i .ssh/sue_phobos.id_dsa -l sue phobos
…you’re connected.