Does ssh key need to be named id_rsa?
Solution 1:
By default, ssh searches for id_dsa
and id_rsa
files. The keys do not have to be named like this, you can name it mykey
just as well, or even place it in a different directory. However, if you do either of those, then you need to explicitly reference the key in the ssh command like so:
ssh user@server -i /path/to/mykey
If a command does not accept -i
, e.g. sshfs
, use the IdentityFile
option:
sshfs -o IdentityFile=/path/to/mykey user@host:/path/on/remote /mountpoint
How It Works
When generating a key, you'll get two files: id_rsa
(private key) and id_rsa.pub
(public key). As their names suggest, the private key should be kept secret and the public key can be published to the public.
Public-key authentication works with a public and a private key. Both the client and the server have their own keys. When installing openssh-server
the server public and private keys are generated automatically. For the client, you'll have to do that on your own.
When you (client) connect with a server, public keys are exchanged. You'll receive the servers one, and the server yours. The first time you receive the server public key, you'll be asked to accept it. If this public key changes over a time, you'll be warned because a possible MITM (Man in the middle) attack is going on, intercepting the traffic between the client and the server.
The server checks whether you are allowed to connect (defined in /etc/ssh/sshd_config
) and if your public key is listed in the ~/.ssh/authorized_keys
file. Possible reasons why the public key is denied:
-
/etc/ssh/sshd_config
:-
AllowUsers
orAllowGroups
is specified, but your server user is not listed in the groups or users list (default not defined, placing no restriction on the users or groups from logging in). -
DenyUsers
orDenyGroups
is specified and you're in the users or groups list. - You're trying to login as root, but
PermitRootLogin
is set toNo
(defaultyes
). -
PubkeyAuthentication
is set toNo
(defaultyes
). -
AuthorizedKeysFile
is set to a different location, and the public keys are not added to that file (default.ssh/authorized_keys
, relative to home dir)
-
-
~/.ssh/authorized_keys
: your public key is not added in this file (note that this file is read as root user)
Using multiple keys
It's not uncommon to use multiple keys. Instead of running ssh user@host -i /path/to/identity_file
, you can use a configuration file, ~/.ssh/config
.
Common settings are the IdentityFile (the keys) and port. The next configuration will check "id_dsa" and "bender" only when connecting with ssh youruser@yourhost
:
Host yourhost
IdentityFile ~/.ssh/id_dsa
IdentityFile ~/.ssh/bender
If you omit Host yourhost
, the settings will apply to all SSH connections. Other options can also be specified for this host match, like User youruser
, Port 2222
, etc. This would allow you to connect with the shorthand ssh yourhost
instead of ssh -p2222 youruser@yourhost -i ~/.ssh/id_dsa -i ~/.ssh/bender
.
Solution 2:
My favourite method allows the private key to be selected automatically
IdentityFile ~/.ssh/%l_%r@%h_id_rsa
SSH will replace %l with the local machine name, %r with the remote username, and %h with the remote host, thus if I wanted to connect from my machine called foo to bar as user, I run:
ssh bar
And ssh would automatically use:
~/.ssh/foo_user@bar_id_rsa
As the local host is also stored, this allows for home directories shared over NFS (different key per machine!) or even identifying which machine the key was meant to be on...
Solution 3:
In consideration of StevenRoose's comment that it takes longer to specify many keys, and I happen to be playing around with a lot of keys, I would like to suggest my personal solution.
I create a symlink to the key that I want to use at the time, and since that only changes infrequently depending on which project I'm working on, I am happy with it.
Here I have linked to my keys for machines running under virtualbox:
$ cd .ssh/
$ ln -s adam_vbox-id_rsa.pub id_rsa.pub
$ ln -s adam_vbox-id_rsa id_rsa
$ ls -l
total 12
-rw------- 1 adam adam 1675 2013-10-04 02:04 adam_vbox-id_rsa
-rw-r--r-- 1 adam adam 396 2013-10-04 02:04 adam_vbox-id_rsa.pub
lrwxrwxrwx 1 adam adam 16 2013-10-04 02:17 id_rsa -> adam_vbox-id_rsa
lrwxrwxrwx 1 adam adam 20 2013-10-04 02:17 id_rsa.pub -> adam_vbox-id_rsa.pub
-rw-r--r-- 1 adam adam 3094 2013-10-04 02:09 known_hosts
One could also add a really quick script to change over to another set without having to manually type the ln command again.
Again, this isn't a solution for two keys only, but for a greater number, it might be workable.