Which private keys are tested by ssh without configuration?

Solution 1:

The ssh client will check all your keys until it finds one that matches.

This is how it works (this is very simplified, before this a quite complex dance has been made to encrypt all of this):

  • The server creates an auth token.
  • The token is encrypted using your public key on the server.
  • The server send the encrypted token to the client.
  • The client tries to decrypt the token, using all known private keys.
  • If it is successful it will send the decrypted token back to the server.
  • If the token matchs the server will let the client in.

What files are keys depends on the client.

For the Openssh client (Ubuntu default client), according to its man page, the files that are supposed to be private keys are ./sshid_rsa, .ssh/id_dsa, .ssh/id_ecdsa, plus those given after the -i flag (it supports multiple files) and those declared in the config file.

You can give it the -v option to make it print a line when it tries to use any file as a key. This is an example from a non-key login:

$ ssh -v www.hostremoved.com
OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
<...>
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/javier/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/javier/.ssh/id_dsa
debug1: Trying private key: /home/javier/.ssh/id_ecdsa
debug1: Next authentication method: password
<...>

As you can see, it prints all the keys it tries, it fails all. You can use this in your system to discover what files is ssh using in your own system.

Below you can see the output if some existing key is found and tried

debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: user@xyz

user@xyz is the information appended to the public key.


If you're wondering how your ssh client finds your private keys, it's not magic. Under Gnome (xfce and KDE also) there is a special ssh-agent that automatically adds keys in .ssh directory that have a correspondending public key with the ending .pub.

If you not have such a comfortable ssh agent, you'll have to add your private keys with ssh-add key.

Solution 2:

Assuming that you have copied the public key to the authorized_keys file on the remote machine, the ssh client will check whichever private key on the local machine matches the public key on the remote machine.

Solution 3:

Copied/pasted from ssh_config(5) in openssh-client 1:5.3p1-3ubuntu7:

IdentityFile

Specifies a file from which the user's RSA or DSA authentication identity is read. The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2. Additionally, any identities represented by the authentication agent will be used for authentication.

The file name may use the tilde syntax to refer to a user's home directory or one of the following escape characters: ‘%d’ (local user's home directory), ‘%u’ (local user name), ‘%l’ (local host name), ‘%h’ (remote host name) or ‘%r’ (remote user name).

It is possible to have multiple identity files specified in configuration files; all these identities will be tried in sequence.

The bottom line is the it depends on the protocol version. For version 2 (most likely these days), id_rsa and id_dsa are tried in that order according to the above doc. Newer versions may include other type of keys by default like id_ecdsa. Check that man page in your version for the details.