59

I am trying to make a more streamlined means to establish an SSH client connection to a remote server. I have created a public/private keypair and used ssh-copy-id to install the public key onto the remote server.

However, it still was asking for the password unless I put in the path for the identity file with something like ssh -i ~/.ssh/mykey user@host. Should I have to type this to bypass the password with public key authentication?

To bypass this I used .bashrc and created an alias using this path. However, is this the way to do this? Or is it just a question of the server allowing the public key so I can just use the usual ssh user@host?

DopeGhoti
  • 73,792
  • 8
  • 97
  • 133
Troy
  • 691
  • 1
  • 5
  • 3

1 Answers1

88

If you are able to successfully use keypair authentication with ssh -i ~/.ssh/mykey user@host, you can easily automate this with your SSH client configuration.

For example, if you add this to your ~/.ssh/config file:

Host hostname
  User username
  IdentityFile ~/.ssh/mykey
  IdentitiesOnly yes # see comment in answer below

You can then simply ssh hostname, and your username and identity file settings will be handled by your config file and you're off to the races, as they say.

The IdentityFile directive (which the -i switch for ssh overrides) has a default setting which will look for ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519, and ~/.ssh/id_rsa; any other filenames for private keys must be specified in the config file or with -i on the command line.

If you add IdentityFile to your ssh config, you'll find that the client still sends the default key (see ssh -vv output). This can be problematic when using sites like github with multiple accounts. You'll need to include IdentitiesOnly yes if you want ssh to use only the key you've specified.

Victor Paléologue
  • 103
  • 4
DopeGhoti
  • 73,792
  • 8
  • 97
  • 133
  • 1
    I created '~/.ssh/config' like this: Host Hostname User IdentityFile ~/.ssh/ But when I 'ssh I receive "Bad owner or permissions on /home/benny/.ssh/config" – Troy Jan 14 '19 at 22:01
  • Can the login user be different to the key user? (like adding a key on the server for user USER, but using it for login as ROOT)? – Sandburg Mar 15 '19 at 08:43
  • 1
    Private keys are held by the user logging in; public keys are held by the account being logged into. So long as the user's private key matches one of the `authorized_keys` in the remote account, you should be fine. In other words, for `user`'s key to work for both `remoteuser` and `root`, both of the latter two must have `user`'s public key in their own `authorized_keys` file. – DopeGhoti Mar 15 '19 at 15:39
  • @Troy read the message carefully: the most common issue is that the file permissions for the key are too broad. – xeruf Jan 03 '21 at 23:24
  • 3
    @Troy I think this is too late but config permissions should be strict according to the manual. 600 is just fine (`chmod 600 ~/.ssh/config`) – sçuçu Oct 03 '21 at 20:38
  • 5
    `IdentitiesOnly` directive saved my day. I was getting `too much login attempts` error because ssh client was sending other keys that I have before the correct one. – downtheroad Nov 25 '21 at 21:36
  • Interesting part about SSH sending other keys. Mine does not do this, it sends directly the key I've specified. In the `-vv` log, it says: `debug1: Will attempt key: my-key.pem explicit` . `OpenSSH_9.0p1` on MacOS – Ciprian Tomoiagă Aug 07 '23 at 07:44
  • It's quite possible that in the years since I first penned this answer, the default value of `IdentitiesOnly` got flipped from `No` to `Yes` in some distributions' `ssh_config`s. (: – DopeGhoti Aug 16 '23 at 01:35