How do I add SSH Keys to authorized_keys file?
I have an Ubuntu server on Amazon EC2, that I use for development, and today I stupidly cleared everything out of my ~/.ssh/authorized_keys file. Luckily I have an SSH open, so I am still connected, and can fix the file, but when I try to put my key file back, it doesn’t work. I still get permission denied from the server on my local machine. authorized_keys has the permissions 600. I have tried appending my SSH key with ssh-rsa and leaving the ssh-rsa off. I also tried making the SSH key all one line, but that didn’t work either. Is there something else that I have to do like reload the file some how?
Years later, this -still- seems relevant & active; only wanted to make an observation, talk about having had dodged a bullet: «Luckily I have an SSH open, so I am still connected [..]» — sheesh! ;dP
9 Answers 9
You should never save the file with its contents starting with ——BEGIN RSA PRIVATE KEY—— on the server, that is your private key. Instead, you must put the public key into the ~/.ssh/authorized_keys file.
This public key has the .pub extension when generated using ssh-keygen and its contents begin with ssh-rsa AAAAB3 . (The binary format is described in the answers to this question).
The permissions of ~/.ssh on the server should be 700. The file ~/.ssh/authorized_keys (on the server) is supposed to have a mode of 600. The permissions of the (private) key on the client-side should be 600.
If the private key was not protected with a password, and you put it on the server, I recommend you to generate a new one:
You can skip this if you’re fully sure that nobody can recover the deleted private key from the server.
If this does not help, run ssh with options for more verbosity:
On the server side, you can review /var/log/auth.log for details.
@Dave Long: You must generate a new key using ssh-keygen -t rsa and put the newly created id_rsa.pub file in ~/.ssh/authorized_keys on your server. See also docs.amazonwebservices.com/AWSEC2/latest/UserGuide/…
@DaveLong: You can generate the public key from the private key at any time. You can do this simply with the following command: ssh-keygen -y -f key.pem > key.pub
@MorganBlackthorne While that is true, I would recommend generating your private keys rather than accepting one from remote sources. You cannot be fully sure that the private key did not get leaked.
An alternative way to install your public key in the remote machine’s authorized_keys :
cat ~/.ssh/id_rsa.pub | ssh USER@HOST "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
- does not require ssh-copy-id to be installed.
- guarantees that mkdir works before attempting to append id_rsa.pub to authorized_keys .
There is a chance that a newly created authorized_keys file or .ssh folder will not have the correct file permissions. This may result in ssh attempting to fallback to password authentication (if it is still enabled).
To fix this, log back in the server and run:
chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys
See this answer for more details, as well as the other answer to this question.
Your answer helped me to do this on multiple remote machines without any additional packages, thank you.
This doesn’t guarantee that the «~/.ssh» directory and «~/.ssh/authorized_keys» file will be created with the correct permissions.
@Nick, I had that problem. So then perhaps one must really first check for their existence, if missing create properly with chmod (700/folder, 600/file), and only then add? so then maybe it can’t be a one liner?
@AnneTheAgile I think changing the mkdir -p ~/.ssh part of the answer given by @MariusButuc to umask 077 && mkdir -p ~/.ssh is all you need to do to ensure that it will work properly.
If you have login based authentication then use ssh-copy-id to append your public keys to remote server.
On Macports, this command can be installed using sudo port install openssh +ssh_copy_id . The +ssh_copy_id installs openssh with the ssh_copy_id variant.
Note that the instructions on phildawson.tumblr.com ask you to install untrusted software, as root. This is quite dangerous and a good way to get hacked, unless you know you can trust the author.
local> scp .ssh/id_rsa.pub remote.com: local> ssh remote.com remote> cat id_rsa.pub >> .ssh/authorized_keys remote> rm id_rsa.pub remote> exit
Easiest way is to copy and paste.
First view/copy the contents of your local public key id_rsa.pub including the beginning «ssh-rsa» until it ends with your email address:
Then edit authorized_keys on the server and paste contents of your clipboard below any other keys in that file:
And save Ctl+O , exit the file Ctl+X , exit the SSH session exit and try logging back in to confirm it worked. If it didn’t ask for a password it worked.
That’s far from the easiest and begs mistakes to happen which will corrupt the file. catenating the key into the authorized_keys file is MUCH safer.
I disagree. It would take a lot of talent to mistype “cat” and highlight lines that were obviously not part of the file.
Get a shell on the remote machine where you want to put the key and then you can run this one-liner to create the necessary files and directories, set their permissions and append the key to the file. Of course you have to change the KEYGOESHERE part below and the comment after it.
mkdir -p ~/.ssh && chmod 700 ~/.ssh && touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo "ssh-rsa KEYGOESHERE user@remotehost or note" >> ~/.ssh/authorized_keys
I thought I can contribute to this since it is about AWS instances specifically and all the answers only treat the problem as a Linux issue, as if it was a piece of hardware. First thing you need to understand is that you should never, ever, don’t treat EC2 instances as hardware. That’s just going to create more work for you Treat them as volatile. That’s the biggest hurdle I see people having with AWS. Make an AMI of your instance and inject the key you need into the new instance. cloud-init will take care of it for you. In more detail all you have to do is use the correct public key when creating the new instance out of the AMI of the original. If, like in the comments of the approved answer you want to generate your own key pair of pub and pem files AWS provides you with the option to upload your public keys for use in EC2.
After saving public key you should save the private key into a directory and file on your pc. And in the auth section of ssh on putty you should point to the private key file that you saved on your desktop. It will work. It works for me.
I would just love it if windows console could have all the ssh functionality added into it’s interpreter
Here’s a variation whereby you might have a list of public key filenames in a text file and the big batch of public key files are also in the same directory.
This variation can be helpful if you were giving a huge list of public key files to import 🙂
$ for i in $(cat ListOfPubKeyFiles.txt) ; do cat $i | ssh User@Hostname "cat >> ~/.ssh/authorized_keys"; done