diff --git a/include/libssh2.h b/include/libssh2.h
index 20ba5483..15dda6fc 100644
--- a/include/libssh2.h
+++ b/include/libssh2.h
@@ -508,6 +508,7 @@ typedef struct _LIBSSH2_POLLFD {
 #define LIBSSH2_ERROR_KEYFILE_AUTH_FAILED       -48
 #define LIBSSH2_ERROR_RANDGEN                   -49
 #define LIBSSH2_ERROR_MISSING_USERAUTH_BANNER   -50
+#define LIBSSH2_ERROR_ALGO_UNSUPPORTED          -51
 
 /* this is a define to provide the old (<= 1.2.7) name */
 #define LIBSSH2_ERROR_BANNER_NONE LIBSSH2_ERROR_BANNER_RECV
diff --git a/src/agent.c b/src/agent.c
index bce7175e..4ed79ac2 100644
--- a/src/agent.c
+++ b/src/agent.c
@@ -379,6 +379,7 @@ agent_sign(LIBSSH2_SESSION *session, unsigned char **sig, size_t *sig_len,
     ssize_t method_len;
     unsigned char *s;
     int rc;
+    unsigned char *method_name = NULL;
     uint32_t sign_flags = 0;
 
     /* Create a request to sign the data */
@@ -465,8 +466,28 @@ agent_sign(LIBSSH2_SESSION *session, unsigned char **sig, size_t *sig_len,
         rc = LIBSSH2_ERROR_AGENT_PROTOCOL;
         goto error;
     }
+
+    /* method name */
+    method_name = LIBSSH2_ALLOC(session, method_len);
+    if(!method_name) {
+        rc = LIBSSH2_ERROR_ALLOC;
+        goto error;
+    }
+    memcpy(method_name, s, method_len);
     s += method_len;
 
+    /* check to see if we match requested */
+    if((size_t)method_len != session->userauth_pblc_method_len ||
+        memcmp(method_name, session->userauth_pblc_method, method_len)) {
+        _libssh2_debug(session,
+                       LIBSSH2_TRACE_KEX,
+                       "Agent sign method %.*s",
+                       method_len, method_name);
+
+        rc = LIBSSH2_ERROR_ALGO_UNSUPPORTED;
+        goto error;
+    }
+
     /* Read the signature */
     len -= 4;
     if(len < 0) {
@@ -489,12 +510,18 @@ agent_sign(LIBSSH2_SESSION *session, unsigned char **sig, size_t *sig_len,
     memcpy(*sig, s, *sig_len);
 
   error:
+
+    if(method_name)
+        LIBSSH2_FREE(session, method_name);
+
     LIBSSH2_FREE(session, transctx->request);
     transctx->request = NULL;
 
     LIBSSH2_FREE(session, transctx->response);
     transctx->response = NULL;
 
+    transctx->state = agent_NB_state_init;
+
     return _libssh2_error(session, rc, "agent sign failure");
 }
 
diff --git a/src/userauth.c b/src/userauth.c
index 84285bf0..59b76ca9 100644
--- a/src/userauth.c
+++ b/src/userauth.c
@@ -1283,9 +1283,6 @@ _libssh2_key_sign_algorithm(LIBSSH2_SESSION *session,
         if(key_method) {
             memcpy(*key_method, match, match_len);
             *key_method_len = match_len;
-
-            _libssh2_debug(session, LIBSSH2_TRACE_KEX,
-                           "Signing using %.*s", match_len, match);
         }
         else {
             *key_method_len = 0;
@@ -1321,6 +1318,10 @@ _libssh2_userauth_publickey(LIBSSH2_SESSION *session,
         };
     int rc;
     unsigned char *s;
+    int auth_attempts = 0;
+
+    retry_auth:
+    auth_attempts++;
 
     if(session->userauth_pblc_state == libssh2_NB_state_idle) {
 
@@ -1364,13 +1365,26 @@ _libssh2_userauth_publickey(LIBSSH2_SESSION *session,
                    session->userauth_pblc_method_len);
         }
 
-        /* upgrade key key signing algo needed */
-        rc = _libssh2_key_sign_algorithm(session,
-                                         &session->userauth_pblc_method,
-                                         &session->userauth_pblc_method_len);
+        /* upgrade key signing algo if it is supported and
+         * it is our first auth attempt, otherwise fallback to
+         * the key default algo */
+        if(auth_attempts == 1) {
+            rc = _libssh2_key_sign_algorithm(session,
+                                        &session->userauth_pblc_method,
+                                        &session->userauth_pblc_method_len);
 
-        if(rc)
-            return rc;
+            if(rc)
+                return rc;
+        }
+
+        if(session->userauth_pblc_method_len &&
+           session->userauth_pblc_method) {
+            _libssh2_debug(session,
+                           LIBSSH2_TRACE_KEX,
+                           "Signing using %.*s",
+                           session->userauth_pblc_method_len,
+                           session->userauth_pblc_method);
+        }
 
         /*
          * 45 = packet_type(1) + username_len(4) + servicename_len(4) +
@@ -1528,6 +1542,17 @@ _libssh2_userauth_publickey(LIBSSH2_SESSION *session,
             return _libssh2_error(session, LIBSSH2_ERROR_EAGAIN,
                                   "Would block");
         }
+        else if(rc == LIBSSH2_ERROR_ALGO_UNSUPPORTED && auth_attempts == 1) {
+            /* try again with the default key algo */
+            LIBSSH2_FREE(session, session->userauth_pblc_method);
+            session->userauth_pblc_method = NULL;
+            LIBSSH2_FREE(session, session->userauth_pblc_packet);
+            session->userauth_pblc_packet = NULL;
+            session->userauth_pblc_state = libssh2_NB_state_idle;
+
+            rc = LIBSSH2_ERROR_NONE;
+            goto retry_auth;
+        }
         else if(rc) {
             LIBSSH2_FREE(session, session->userauth_pblc_method);
             session->userauth_pblc_method = NULL;