Does ssh key need to be named id_rsa?

ssh openssh

Solution 1:

By default, ssh searches for id_dsa and id_rsa files. The keys do not have to be named like this, you can name it mykey just as well, or even place it in a different directory. However, if you do either of those, then you need to explicitly reference the key in the ssh command like so:

ssh user@server -i /path/to/mykey

If a command does not accept -i, e.g. sshfs, use the IdentityFile option:

sshfs -o IdentityFile=/path/to/mykey user@host:/path/on/remote /mountpoint

How It Works

When generating a key, you'll get two files: id_rsa (private key) and id_rsa.pub (public key). As their names suggest, the private key should be kept secret and the public key can be published to the public.

Public-key authentication works with a public and a private key. Both the client and the server have their own keys. When installing openssh-server the server public and private keys are generated automatically. For the client, you'll have to do that on your own.

When you (client) connect with a server, public keys are exchanged. You'll receive the servers one, and the server yours. The first time you receive the server public key, you'll be asked to accept it. If this public key changes over a time, you'll be warned because a possible MITM (Man in the middle) attack is going on, intercepting the traffic between the client and the server.

The server checks whether you are allowed to connect (defined in /etc/ssh/sshd_config) and if your public key is listed in the ~/.ssh/authorized_keys file. Possible reasons why the public key is denied:

  • /etc/ssh/sshd_config:
    • AllowUsers or AllowGroups is specified, but your server user is not listed in the groups or users list (default not defined, placing no restriction on the users or groups from logging in).
    • DenyUsers or DenyGroups is specified and you're in the users or groups list.
    • You're trying to login as root, but PermitRootLogin is set to No (default yes).
    • PubkeyAuthentication is set to No (default yes).
    • AuthorizedKeysFile is set to a different location, and the public keys are not added to that file (default .ssh/authorized_keys, relative to home dir)
  • ~/.ssh/authorized_keys: your public key is not added in this file (note that this file is read as root user)

Using multiple keys

It's not uncommon to use multiple keys. Instead of running ssh user@host -i /path/to/identity_file, you can use a configuration file, ~/.ssh/config.

Common settings are the IdentityFile (the keys) and port. The next configuration will check "id_dsa" and "bender" only when connecting with ssh youruser@yourhost:

Host yourhost
   IdentityFile ~/.ssh/id_dsa
   IdentityFile ~/.ssh/bender

If you omit Host yourhost, the settings will apply to all SSH connections. Other options can also be specified for this host match, like User youruser, Port 2222, etc. This would allow you to connect with the shorthand ssh yourhost instead of ssh -p2222 youruser@yourhost -i ~/.ssh/id_dsa -i ~/.ssh/bender.

Solution 2:

My favourite method allows the private key to be selected automatically

IdentityFile ~/.ssh/%l_%r@%h_id_rsa

SSH will replace %l with the local machine name, %r with the remote username, and %h with the remote host, thus if I wanted to connect from my machine called foo to bar as user, I run:

ssh bar

And ssh would automatically use:

~/.ssh/foo_user@bar_id_rsa

As the local host is also stored, this allows for home directories shared over NFS (different key per machine!) or even identifying which machine the key was meant to be on...

Solution 3:

In consideration of StevenRoose's comment that it takes longer to specify many keys, and I happen to be playing around with a lot of keys, I would like to suggest my personal solution.

I create a symlink to the key that I want to use at the time, and since that only changes infrequently depending on which project I'm working on, I am happy with it.

Here I have linked to my keys for machines running under virtualbox:

$ cd .ssh/
$ ln -s adam_vbox-id_rsa.pub id_rsa.pub
$ ln -s adam_vbox-id_rsa id_rsa

$ ls -l
total 12
-rw------- 1 adam adam 1675 2013-10-04 02:04 adam_vbox-id_rsa
-rw-r--r-- 1 adam adam  396 2013-10-04 02:04 adam_vbox-id_rsa.pub
lrwxrwxrwx 1 adam adam   16 2013-10-04 02:17 id_rsa -> adam_vbox-id_rsa
lrwxrwxrwx 1 adam adam   20 2013-10-04 02:17 id_rsa.pub -> adam_vbox-id_rsa.pub
-rw-r--r-- 1 adam adam 3094 2013-10-04 02:09 known_hosts

One could also add a really quick script to change over to another set without having to manually type the ln command again.

Again, this isn't a solution for two keys only, but for a greater number, it might be workable.

Related

How to install VirtualBox from command line?
How can I rotate a video?
Mount single partition from image of entire disk (device)
How can I access Apache (on VirtualBox guest) from host?
What is the difference between dpkg and aptitude/apt-get?
Where are the Unity Launcher .desktop files?
How do I install Ubuntu on a VirtualBox client from an ISO image?
How do I install dig?
How to run an alias in a shell script?
How to navigate long commands faster?
Pip is not working: ImportError: No module named 'pip._internal'
How can I keep recent files from appearing in Unity?