Ubuntu – Does ssh key need to be named id_rsa


I have come across this problem a couple of times when creating build servers with keyed authentication.

I was wondering if anyone else has experience this. I have a couple of keys for my current user that may connect to different machines. Let say machine1 and machine2. I have pasted my public key into their respective authorized_keys file. The first one I have named the first key id_rsa and the second key bender.

When I try to connect to bender I get the following output with my verbose ssh connection

debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/bozo/.ssh/.ssh/identity
debug1: Trying private key: /home/bozo/.ssh/.ssh/id_rsa
debug1: Trying private key: /home/bozo/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey).

It only offers the id_rsa key, as you can see above. Is this correct? If so why? How do I get it to offer more keys? I know it is a problem I see intermittently, because I at home I have multiple keys without much trouble.

I would also appreciate a overview on how the pub and private keys interact with the client and server. I thought I had a pretty decent idea, but apparently I am missing something.

Please and thank you.

Best Answer

By default, ssh searches for id_dsa and id_rsa files. The keys do not have to be named like this, you can name it mykey just as well, or even place it in a different directory. However, if you do either of those, then you need to explicitly reference the key in the ssh command like so:

ssh user@server -i /path/to/mykey

If a command does not accept -i, e.g. sshfs, use the IdentityFile option:

sshfs -o IdentityFile=/path/to/mykey user@host:/path/on/remote /mountpoint

How It Works

When generating a key, you'll get two files: id_rsa (private key) and id_rsa.pub (public key). As their names suggest, the private key should be kept secret and the public key can be published to the public.

Public-key authentication works with a public and a private key. Both the client and the server have their own keys. When installing openssh-server the server public and private keys are generated automatically. For the client, you'll have to do that on your own.

When you (client) connect with a server, public keys are exchanged. You'll receive the servers one, and the server yours. The first time you receive the server public key, you'll be asked to accept it. If this public key changes over a time, you'll be warned because a possible MITM (Man in the middle) attack is going on, intercepting the traffic between the client and the server.

The server checks whether you are allowed to connect (defined in /etc/ssh/sshd_config) and if your public key is listed in the ~/.ssh/authorized_keys file. Possible reasons why the public key is denied:

  • /etc/ssh/sshd_config:
    • AllowUsers or AllowGroups is specified, but your server user is not listed in the groups or users list (default not defined, placing no restriction on the users or groups from logging in).
    • DenyUsers or DenyGroups is specified and you're in the users or groups list.
    • You're trying to login as root, but PermitRootLogin is set to No (default yes).
    • PubkeyAuthentication is set to No (default yes).
    • AuthorizedKeysFile is set to a different location, and the public keys are not added to that file (default .ssh/authorized_keys, relative to home dir)
  • ~/.ssh/authorized_keys: your public key is not added in this file (note that this file is read as root user)

Using multiple keys

It's not uncommon to use multiple keys. Instead of running ssh user@host -i /path/to/identity_file, you can use a configuration file, ~/.ssh/config.

Common settings are the IdentityFile (the keys) and port. The next configuration will check "id_dsa" and "bender" only when connecting with ssh youruser@yourhost:

Host yourhost
   IdentityFile ~/.ssh/id_dsa
   IdentityFile ~/.ssh/bender

If you omit Host yourhost, the settings will apply to all SSH connections. Other options can also be specified for this host match, like User youruser, Port 2222, etc. This would allow you to connect with the shorthand ssh yourhost instead of ssh -p2222 youruser@yourhost -i ~/.ssh/id_dsa -i ~/.ssh/bender.