SSH tries other keys despite specifying a key with -i option

Question

For the same user, I have two keys on the local machine. On the remote server, both keys are in the authorized_keys file.

I delete one of the keys in the authorized_keys file.

I then try to ssh with the other key using the -i option. It succeeds. The auth log shows that the other (undeleted) key in the authorized_keys file was used to log in - despite me having tried to use the deleted key with the -i option.

Is this normal behavior?

I would expect that ssh only tried to use the key that was specified with the -i option. I know that when no key is specified it tries them all. Shouldn't that not happen when a key is explicitly specified? Or is it more like, tried the specified key first, then try the rest anyway.

Is the expected behavior documented somewhere?

Answer 1

Ok, I should have searched more thoroughly. There's an option to do just this.

To make SSH use only the specified identity file, I need to use the -o "IdentitiesOnly=yes" option:

ssh -o "IdentitiesOnly=yes" -i <private key filename> <hostname>

IdentitiesOnly

Specifies that ssh(1) should only use the configured authentication identity and certificate files (either the default files, or those explicitly configured in the ssh_config files or passed on the ssh(1) command-line), even if ssh-agent(1) or a PKCS11Provider or SecurityKeyProvider offers more identities. The argument to this keyword must be yes or no (the default). This op_ tion is intended for situations where ssh-agent offers many different identities.