ssh -i: Use a Specific Key File in CI
ssh -i <keyfile> tells ssh which private key to offer when authenticating to the server.
In a pipeline the deploy key rarely lives at the default path, so you point at it explicitly with -i. Get the file permissions right or ssh ignores the key.
What it does
ssh -i specifies the identity (private key) file used for public-key authentication. Without it, ssh tries the default keys such as ~/.ssh/id_ed25519 and ~/.ssh/id_rsa. The matching public key must be in the server's authorized_keys.
Common usage
ssh -i ~/.ssh/deploy_key user@host
ssh -i ./deploy_key -o IdentitiesOnly=yes user@host "uptime"
# write a CI secret to a key file with safe perms first
install -m 600 /dev/null deploy_key
printf '%s' "$DEPLOY_KEY" > deploy_key
ssh -i deploy_key user@hostOptions
| Flag | What it does |
|---|---|
| -i <file> | Identity (private key) file to authenticate with |
| -o IdentitiesOnly=yes | Only offer the -i key, not agent or default keys |
| -l <user> | Login user (alternative to user@host) |
| -v | Verbose; shows which keys are offered and why auth fails |
In CI
After writing a key from a secret, set its mode to 600 (chmod 600 deploy_key). OpenSSH refuses a private key that is group- or world-readable and silently skips it, which then surfaces as a publickey failure. Add -o IdentitiesOnly=yes so a loaded agent does not offer the wrong key first.
Common errors in CI
Permission denied (publickey) means no offered key was accepted; check that the public key is in authorized_keys and that perms on the key file are 600. "Permissions 0644 for 'deploy_key' are too open. ... This private key will be ignored." is the literal warning when the mode is too loose; chmod 600 the file. "Load key 'deploy_key': invalid format" means the key body was truncated or mangled, often a stripped trailing newline.