How can I convince that id_dsa is not stored in ~/.ssh when connecting to one particular host.
The obvious question is why. The answer is this key is more sensitive and needs to be password protected while the other is used for automation.
While this is not a programming problem, I would not be surprised to learn this requires a programming solution.
From the ssh man page:
-i identity_file
Selects a file from which the identity (private key) for RSA or
DSA authentication is read. The default is ~/.ssh/identity for
protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for pro-
tocol version 2. Identity files may also be specified on a per-
host basis in the configuration file. It is possible to have
multiple -i options (and multiple identities specified in config-
uration files).
In your .ssh/config, set something like:
Host somehost
IdentityFile /path/to/extra_secret_key
I have one host that has IdentityFile set to ~/.ssh/iddsa_aux, but the parameter should accept any path name.
Theres a handy trick you can use to make it really easy, oddly, I just discussed this 30 minutes ago with a friend.
~/.ssh/config
IdentityFile ~/.ssh/ident/%r@%h IdentityFile ~/.ssh/id_rsa IdentityFile ~/.ssh/id_dsa
This makes it really easy to use a fallback pattern, as the options are run through top to bottom.
Then to specify a specific key for "Bob@someHost" you just have to create the file
~/.ssh/ident/Bob@someHost
And it will try that first when logging into that host.
If the file cannot be found, or the key is rejected, it will try the next one, in this case,
~/.ssh/id_rsa
The benefit of this technique is you don't have to add a new entry every time you add another host, all you have to do is create the keyfile in the right place and it does the rest automatically.