Skip to content
Latchkey

ssh -i: Use a Specific Key File in CI

ssh -i <keyfile> tells ssh which private key to offer when authenticating to the server.

In a pipeline the deploy key rarely lives at the default path, so you point at it explicitly with -i. Get the file permissions right or ssh ignores the key.

What it does

ssh -i specifies the identity (private key) file used for public-key authentication. Without it, ssh tries the default keys such as ~/.ssh/id_ed25519 and ~/.ssh/id_rsa. The matching public key must be in the server's authorized_keys.

Common usage

Terminal
ssh -i ~/.ssh/deploy_key user@host
ssh -i ./deploy_key -o IdentitiesOnly=yes user@host "uptime"
# write a CI secret to a key file with safe perms first
install -m 600 /dev/null deploy_key
printf '%s' "$DEPLOY_KEY" > deploy_key
ssh -i deploy_key user@host

Options

FlagWhat it does
-i <file>Identity (private key) file to authenticate with
-o IdentitiesOnly=yesOnly offer the -i key, not agent or default keys
-l <user>Login user (alternative to user@host)
-vVerbose; shows which keys are offered and why auth fails

In CI

After writing a key from a secret, set its mode to 600 (chmod 600 deploy_key). OpenSSH refuses a private key that is group- or world-readable and silently skips it, which then surfaces as a publickey failure. Add -o IdentitiesOnly=yes so a loaded agent does not offer the wrong key first.

Common errors in CI

Permission denied (publickey) means no offered key was accepted; check that the public key is in authorized_keys and that perms on the key file are 600. "Permissions 0644 for 'deploy_key' are too open. ... This private key will be ignored." is the literal warning when the mode is too loose; chmod 600 the file. "Load key 'deploy_key': invalid format" means the key body was truncated or mangled, often a stripped trailing newline.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →