With ssh -i <private key filename> you can instruct ssh to use an extra private key to try authentication.

The documentation is not clear on how to explicitly use only that key.


3 Answers 3


You can use the IdentitiesOnly option:

ssh -o "IdentitiesOnly=yes" -i <private key filename> <hostname>

from the man page for ssh_config(5):

         Specifies that ssh(1) should only use the configured authentication identity and certificate files (either the default files, or those explicitly config‐
         ured in the ssh_config files or passed on the ssh(1) command-line), even if ssh-agent(1) or a PKCS11Provider or SecurityKeyProvider offers more identi‐
         ties.  The argument to this keyword must be yes or no (the default).  This option is intended for situations where ssh-agent offers many different identi‐
  • 28
    actually 'IdentitiesOnly' disables prompting ssh-agent, but still offers defaults and ssh_config'd keys.
    – rogerovo
    Commented Jun 25, 2014 at 6:55
  • 7
    The important thing for me was that it does not look in e.g. my ~/.ssh directory for keys to try. Commented Jun 25, 2014 at 8:50
  • 3
    Thanks! I needed the -o "IdentitiesOnly=yes" bit to prevent ssh-agent from overriding the private key specified. Commented Mar 19, 2019 at 20:10
  • 3
    This is super handy for determining which key works with a given host when you have keys cached in ssh-agent. The only way I could figure it out without this flag was to use strace to dump the IO, which was pretty tedious.
    – Wil
    Commented Jun 5, 2019 at 16:11
  • 6
    You can also add -v to your ssh command to know which key is being used (add more v if one is not enough)
    – 2072
    Commented Apr 7, 2021 at 8:43

An alternative could be to generate a pair of keys using


and create a special configuration for the specified host and corresponding private key

Edit ~/.ssh/config

Host handy_server
    HostName x.y.z.w
    IdentityFile ~/.ssh/handy
    IdentitiesOnly yes
    User userk
    Port 22
  • Yes IdentityFile should point to the private key file. Now updated. Commented Sep 8, 2022 at 6:01
  • This doesn't answer the question, since all identify files in the config will be attempted, for example "HostName *" entries. From the ssh_config man page: "It is possible to have multiple identity files specified in configuration files; all these identities will be tried in sequence."
    – brandon
    Commented Oct 18, 2023 at 5:46
  • 1
    @brandon This seems to answer the question of "Howto force ssh to use a specific private key?" since it the IdentityFile is the specific private key you're using. I didn't specify the HostName for my entry in my config file and it didn't seem to matter. This is a better answer than the accepted one since I just wanted to copy + paste stuff to my ~/.ssh/config file and modify accordingly. Sometimes doing everything from command line is a bit overkill imo.
    – hellatan
    Commented Oct 19, 2023 at 20:39
  • @hellatan, It uses all applicable identity files, as stated in the man page, rather than a specific one. See my replies to my answer below for details. It worked for you because it tries all of them, including the right one. You can use -v to see all the files it tried. Maybe it only tried one in your specific setup, but, but it will attempt others, rather than just a specific one, which can cause a failure in some cases (like "too many attempts").
    – brandon
    Commented Jan 4 at 23:35

The accepted answer is incorrect, since all identity files in the default config will also be used in addition to those specified with the -i arguments. This can be a problem if the device you're connecting to has an authentication attempt limit that can be exceeded before eventually getting to the correct key.

To force it to use the single private key file, and only that key, you can specify a nonexistent config file with the -F argument:

ssh -F /dev/null -o IdentitiesOnly=yes -i <private key filename> <hostname>

Using the -v argument will show the keys being used. You should now see that only one is used. Look for "Will attempt key: " lines.

  • 3
    Seconding this, the accepted answer still tried my ~/.ssh/id_ed25519 file, while this one only tries the given key. See also @rogerovo comment on the accepted answer.
    – dtech
    Commented Apr 5, 2023 at 11:24
  • 1
    Adding -F seems to be only needed if you explicitly set an IdentityFile in your config. In that case adding -o "IdentityFile=/dev/null" might be a safer option, not losing any other config you might have. Commented Apr 5, 2023 at 19:59
  • 2
    @Peregrino69, the man page for ssh_config correctly states that only identity files configured will be used for the connection, for any config file used. The problem is, the default config file (~./ssh/config) is used by default, requiring the -F to specify a different config, and not use the default. Many of us have "Host *" type entries in our default config, for devices without fixed IPs. See the ssh man page for details, since -F is a an ssh argument.
    – brandon
    Commented Apr 6, 2023 at 22:35
  • 2
    @HermanvanRink, I just double checked, and this doesn't work. As the ssh_config man page states, "It is possible to have multiple identity files specified in configuration files; all these identities will be tried in sequence.". Without -F pointing to a different file, the default (usually ~/.ssh/config) is used on top of any -o options (see ssh man page for -F argument). If there are matching entries in that default config, like 'Host *', they will all be used. -v shows the configuration files loaded, and the identify files used.
    – brandon
    Commented Apr 6, 2023 at 22:37

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .