Some services like github and gitlab distinguish between users based on the SSH identity sent. One way to do this is to have different host aliases in ~/.ssh/config:
Host user1-github
HostName github.com
User git
IdentityFile ~/.ssh/user1.pem
IdentitiesOnly yes
Host user2-github
HostName github.com
User git
IdentityFile ~/.ssh/user2.pem
IdentitiesOnly yes
This works as expected however setting "IdentitiesOnly yes" disables ssh-agent. If I remove IdentitiesOnly then whatever keys are added to the agent are offered to the server, taking precedence over the explicit IdentityFile.
What I want is for the ssh client to ask for a specific key from the agent and only offer that specific key to the server. As far as I can tell this is not possible with stock openssh?!
The best workaround I found is to remove IdentitiesOnly for the most commonly used github identities and live with prompts for secondary identities.
