I have come across this problem a couple of times when creating build servers with keyed authentication.
I was wondering if anyone else has experience this. I have a couple of keys for my current user that may connect to different machines. Let say machine1 and machine2. I have pasted my public key into their respective authorized_keys file. The first one I have named the first key id_rsa and the second key bender.
When I try to connect to bender I get the following output with my verbose ssh connection
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/bozo/.ssh/.ssh/identity
debug1: Trying private key: /home/bozo/.ssh/.ssh/id_rsa
debug1: Trying private key: /home/bozo/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey).
It only offers the id_rsa key, as you can see above. Is this correct? If so why? How do I get it to offer more keys? I know it is a problem I see intermittently, because I at home I have multiple keys without much trouble.
I would also appreciate a overview on how the pub and private keys interact with the client and server. I thought I had a pretty decent idea, but apparently I am missing something.
Please and thank you.
By default, SSH searches for
id_rsa
,id_cdsa
,id_ecdsa_sk
,id_ed25519
,id_ed25519_sk
, andid_dsa
files. The keys do not have to be named like this, you can name itmykey
just as well, or even place it in a different directory. However, if you do either of those, then you need to explicitly reference the key in the ssh command like so:If a command does not accept
-i
, e.g.sshfs
, use theIdentityFile
option:How It Works
When generating a key, you'll get two files:
id_rsa
(private key) andid_rsa.pub
(public key). As their names suggest, the private key should be kept secret and the public key can be published to the public.Public-key authentication works with a public and a private key. Both the client and the server have their own keys. When installing
openssh-server
the server public and private keys are generated automatically. For the client, you'll have to do that on your own.When you (client) connect with a server, public keys are exchanged. You'll receive the servers one, and the server yours. The first time you receive the server public key, you'll be asked to accept it. If this public key changes over a time, you'll be warned because a possible MITM (Man in the middle) attack is going on, intercepting the traffic between the client and the server.
The server checks whether you are allowed to connect (defined in
/etc/ssh/sshd_config
) and if your public key is listed in the~/.ssh/authorized_keys
file. Possible reasons why the public key is denied:/etc/ssh/sshd_config
:AllowUsers
orAllowGroups
is specified, but your server user is not listed in the groups or users list (default not defined, placing no restriction on the users or groups from logging in).DenyUsers
orDenyGroups
is specified and you're in the users or groups list.PermitRootLogin
is set toNo
(defaultyes
).PubkeyAuthentication
is set toNo
(defaultyes
).AuthorizedKeysFile
is set to a different location, and the public keys are not added to that file (default.ssh/authorized_keys
, relative to home dir)~/.ssh/authorized_keys
: your public key is not added in this file (note that this file is read as root user)Using multiple keys
It's not uncommon to use multiple keys. Instead of running
ssh user@host -i /path/to/identity_file
, you can use a configuration file,~/.ssh/config
.Common settings are the IdentityFile (the keys) and port. The next configuration will check "id_dsa" and "bender" only when connecting with
ssh youruser@yourhost
:If you omit
Host yourhost
, the settings will apply to all SSH connections. Other options can also be specified for this host match, likeUser youruser
,Port 2222
, etc. This would allow you to connect with the shorthandssh yourhost
instead ofssh -p2222 youruser@yourhost -i ~/.ssh/id_dsa -i ~/.ssh/bender
.My favourite method allows the private key to be selected automatically
SSH will replace %l with the local machine name, %r with the remote username, and %h with the remote host, thus if I wanted to connect from my machine called foo to bar as user, I run:
And ssh would automatically use:
As the local host is also stored, this allows for home directories shared over NFS (different key per machine!) or even identifying which machine the key was meant to be on...
In consideration of StevenRoose's comment that it takes longer to specify many keys, and I happen to be playing around with a lot of keys, I would like to suggest my personal solution.
I create a symlink to the key that I want to use at the time, and since that only changes infrequently depending on which project I'm working on, I am happy with it.
Here I have linked to my keys for machines running under virtualbox:
One could also add a really quick script to change over to another set without having to manually type the ln command again.
Again, this isn't a solution for two keys only, but for a greater number, it might be workable.