How Does ssh-agent Select a Key if There's a set?

Question

When using ssh together with ssh-agent which keeps a set of keys what is the flow to select the right key. Is it ssh who requests the set of keys and iterates over them or ssh-agent produces the iterations it self?

In my case I'm using git on a private repo which is authorized over ssh with non default key (other then id_rsa). So if ssh-agent holds solely the desired key the git operates with the repo pretty good.

But when both id_rsa and repo_rsa added to ssh-agent (in any order) the repo isn't authorized.

So who is in the git-ssh-ssh-agent chain responsible for the selection of the right key?

And is it possible to adjust the selection just on the ssh-agent level without pollution of .ssh/config with mapping fake host names to identities. So that to keep the repo urls clean and leave the key selection just "under" the SSH_AUTH_SOCK?

Answer 1

So who is in the git-ssh-ssh-agent chain responsible for the selection of the right key?

Both ssh and ssh-agent. Git plays no part here. Ssh is ultimately responsible for trying the keys, so it has the ultimate responsibility. It is however plausible that, after requesting keys from the agent, ssh would try them in the order the agent handed them over, or perhaps the reverse of that order; and of course ssh-agent could (somehow) be instructed to hand over only the right one (perhaps via careful ssh-add -d use).

And is it possible to adjust the selection just on the ssh-agent level without pollution of .ssh/config with mapping fake host names to identities[?]

Apart from my not-entirely-serious ssh-add -d suggestion, I don't believe so, but I'm not an ssh expert.