SSH ignores key in agent and keeps asking for key decryption password

Question

In my ssh_config, I have configured SSH to use a specific key when connecting to a host. I want SSH to try only this key, not any other key it may find (in ssh agent or some other location), so I specified IdentitiesOnly, too.

Host *.foobar.com
   IdentityFile ~/.ssh/keys/id_ed25519
   IdentitiesOnly yes

Now, the key is password-protected for better security. To avoid typing the password every time, I've added it to ssh-agent (along with some other key):

$ ssh-add -l
256 SHA256:1seMMJNjoexbRqNlVDe9kxkWm8s7fKAEuo+dP+hYut0 (ED25519)
2048 SHA256:p5SXMJNjoexbRqNl8roRamdzz+HFVlRKxtQoEW3vLu0 (RSA)

However, when I try to connect, SSH keeps asking me for password to decrypt the key. Why? When I changed configuration to enforce using the other key from the agent, it worked.

Answer 1

Turns out that, even though only private keys are necessary for connecting to hosts, using ssh-agent requires public keys to work correctly. I guess SSH identifies the keys available in the agent by their public part - without them it thinks that the key is not available.

The reason that the other key worked was because I had a corresponding public key next to the private key - it looked like this:

~/.ssh/keys
├── id_ed25519
├── id_rsa
└── id_rsa.pub

After adding public key id_ed25519.pub (corresponding to the private key id_ed25519), everything started working as expected.