[Feature request] Fabric does not appear to honor "IdentitiesOnly yes" in my ~/.ssh/config file

[nathanael-naeri]

Hi, when using password authentication as follows (cleartext password, this is intentional):

from fabric import Connection

Connection(host='192.168.x.y', user='me', port=22, connect_kwargs={'password':'passwd'}).run('hostname')

Fabric (or Paramiko?) apparently tries the identities held by my SSH agent first, which are a number of SSH keys for other servers than 192.168.x.y, so none of them work:

$ ls ~/.ssh
config
id_ed25519_github
id_ed25519_github.pub
id_ed25519_gitlab
id_ed25519_gitlab.pub
[more keys]

$ ssh-add -l
256 SHA256:[...] username@users.noreply.github.com (ED25519)
256 SHA256:[...] username@users.noreply.gitlab.com (ED25519)
[more identities]

I know that Fabric tries the identities represented by the agent first, before the provided password, because dialog boxes appear one after the other asking for the passphrases to unlock my SSH keys before password authentication is attempted, and because disabling the agent with 'allow_agent':False in the connect_kwargs argument makes Fabric not ask for passphrases and proceed directly to password authentication.

This behavior is consistent with how OpenSSH's ssh command work, but it is not consistent with the following configuration I have in my ~/.ssh/config file:

# Code repositories

Host gitlab.com
  IdentityFile ~/.ssh/id_ed25519_gitlab

Host github.com
  IdentityFile ~/.ssh/id_ed25519_github

[more repositories]

# Personal computers

Host machine1
  Hostname machine1.mydomain.tld

Host machine2
  Hostname machine2.mydomain.tld

[more machines]

Match host *.mydomain.tld
  User myusername

# Only use the configured authentication identity files, even if ssh-agent
# offers more identities - see https://serverfault.com/questions/139870

Host *
  IdentitiesOnly yes

With IdentitiesOnly yes, I am explicitly requesting that the agent is not used, except for the hosts for which I have configured identity files. This is because I often have more than six SSH keys, which result in connections being refused because of too many authentication attempts if they are all tried, as explained in the ServerFault post.

OpenSSH's ssh command complies: running ssh -v me@192.168.x.y shows that none of my SSH key is involved and I am directly asked for the password.

I was expecting Fabric/Paramiko to behave the same and honor IdentitiesOnly yes. So it was surprising to be asked for the passphrase for my GitHub SSH key when attempting to connect to a server in my local network...

Could Fabric consider honoring this parameter? Should I provide it differently? Is this something I should report to Paramiko instead?

Note 1: Tested in a venv on Ubuntu 20.04 with Python 3.12.2, Fabric 3.2.2, and Paramiko 3.4.0

Note 2: I don't start any SSH agent myself, nor do I explicitly load keys into it. My understanding is that an agent is started automatically when I log into my desktop session (GNOME), and that the identities configured in my ~/.ssh/config file are loaded into that agent.