Adding SSH Keys to authorized_keys


About SSH Keys

SSH keys provide a more secure way of logging into a virtual private server with SSH than using a password alone. While a password can eventually be cracked with a brute force attack, SSH keys are nearly impossible to decipher by brute force alone. Generating a key pair provides you with two long string of characters: a public and a private key. You can place the public key on any server, and then unlock it by connecting to it with a client that already has the private key. When the two match up, the system unlocks without the need for a password. You can increase security even more by protecting the private key with a passphrase.

Step One—Create the RSA Key Pair

The first step is to create the key pair on the client machine (there is a good chance that this will just be your computer):

ssh-keygen -t rsa

Step Two—Store the Keys and Passphrase

Once you have entered the Gen Key command, you will get a few more questions:

0 0
SSH with Keys HOWTO: SSH with Keys in a console window Next Previous Contents

This first short wil learn us how to generate a key without a passphrase, and use it in a console.

When you want to use ssh with keys, the first thing that you will need is a key. If you want to know more about how this mechanism works you can have a look in chapter 3, SSH essentials. Hence there are 2 versions, we will show examples for the both of them.

To create the most simple key, with the default encryption, open up a console, and enter the following command :

[dave@caprice dave]$ ssh-keygen

Wil output the following :

Generating public/private rsa1 key pair. Enter file in which to save the key (/home/dave/.ssh/identity): /home/dave/.ssh/identity Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/dave/.ssh/identity. Your public key has been saved in /home/dave/.ssh/ The key fingerprint is:...
0 0
parameter required default choices comments exclusive

(added in 1.9)

no no

Whether to remove all other non-specified keys from the authorized_keys file. Multiple keys can be specified in a single key string value by separating them by newlines.

This option is not loop aware, so if you use with_ , it will be exclusive per iteration of the loop, if you want multiple keys in the file you need to pass them all to key in a single batch as mentioned above.


The SSH public key(s), as a string or (since 1.9) url (


(added in 1.4)


A string of ssh key options to be prepended to the key in the authorized_keys file

no yes

Whether this module should manage the directory of the authorized key file. If set, the module will create the directory, as well as set the owner and permissions of an existing directory. Be sure to set manage_dir=no if you are using...

0 0

ow do I install my SSH public key ~/.ssh/ onto a remote Linux and UNIX server automatically from Linux workstation or Apple OS X laptop without using scp and/or copy & paste method?

You need to use the ssh-copy-id script that uses ssh to log into a remote machine using a login password. The syntax is as follows:



ssh-copy-id -i ~/.ssh/


ssh-copy-id -i ~/.ssh/

OR use specific port on remote host such as tcp port # 4242:

ssh-copy-id -i /path/key/ " -p 4242"

Install ssh-copy-id on a OS X Unix systems

Type the following command:

Sample outputs:

Fig.01: Install ssh-copy-id on a OS X Unix systems

Step # 1: Create the Keys

Type the following ssh-keygen command to generates, manages and converts authentication keys for your...

0 0

Key management is an issue whenever access to servers must be controlled. Keys must be added when new users are created, old keys must be removed when users are deleted and keys must be updated when someone forgets a pass phrase.

We should also not allow individual users to have control over their own authorized_keys file. Instead, we should make use of the AuthorizedKeysFile option for SSHD and place the keys under the /etc/ssh/authorized_keys directory. This prevents users from adding/changing their respective ssh-keys and also prevents an intruder from adding their own key. This approach centralizes the control and location of all ssh-keys using standard SSHD configuration.

Here is how we can use Ansible as a configuration manager, to manage the servers. This will,

add authorized_keys files for new users disable existing users maintain authorized_keys file for existing users

The following is a list of routine maintenance and how to perform...

0 0

Below is a quick how-to for implementing public / private key authentication for SSH. This is by no means an exhaustive examination of the subject. *nix distributions vary slightly and further research may be needed.

Why use Public Key Authentication?

Public key authentication is considered a more secure methods of authenticating the Secure Shell than the simple password challenge routine, a method often broken by brute-force attacks. In addition, public key authentication allows for automated login routines between machines, thus enabling a range of scripted jobs (think rsync or port tunneling). It can also simplify the login process without compromising password security.

How does it work?

Public key authentication uses a pair of computer generated keys - one public and one private – to authenticate between a host and a client. The public key is derived from the private key. When authenticating, the host machine compares the public key to the...

0 0

This guide describes how to generate and use a private/public key pair to log in to a remote system with SSH using PuTTY. PuTTY is an SSH client that is available for Windows and Linux (although it is more common on Windows systems). Using key-based SSH logins, you can disable the normal username/password login procedure which means that only people with a valid private/public key pair can log in. That way, there is no way for brute-force attacks to be successful, so your system is more secure.

1 Preliminary Note

In this tutorial I use a Windows desktop to connect to a Linux SSH server (Debian with IP address:

2 Install PuTTY, PuTTYgen, And Pageant On The Windows System

First we need to install PuTTY, PuTTYgen, and Pageant on our Windows system. All we need to do is download the exectuable files (.exe) and save them somewhere, e.g. on the desktop. We don't need to install them as they are standalone applications. To start them, we...

0 0

ok i just tested the sed command (which makes $GL_GITCONFIG_KEYS = "" to $GL_GITCONFIG_KEYS = ".*" ), i can remove and add keys via gl without an error, my user shows up in .gitolite/conf/gitolite.conf, but the problem still exists that OLD keys are added to /home/git/.ssh/authorized_keys and with the new added key i cant clone.
(i tried this fix before without luck, but thx for the sed command :))

i'm very afraid to upgrade now and will take time to prep a test environment first as without git my company can bury itself (and first they will bury me :))


ok for some reason i cant post anymore at the bottom so i'll try it here and hope that somebody SEES THIS :)

i'm now running gl 3.0.1 stable, when i add a key old keys get added to /home/git/.ssh/authorized_keys and old keyfiles (that i deleted before) show up in .gitolite/keydir. i wonder where they all come from :)
well looks like our git system is shot. i think i...

0 0

The SSH connection to your server is one of the most important way of accessing and managing your server, because of this, it is a target for any attacker that wants access to your server. Securing SSH is therefore very important. As I have already described in Secure servers ssh access, there are a couple of precautions you can take to prevent attackers from guessing your password.

Since, if nothing else, it’s quite annoying to have to type passwords all the time, you might have already considered creating SSH-keys, and configured SSH passwordless login with SSH-key for your server.

If the SSH-key is compromised

If your ssh-key fell into the wrong hands, anybody could access your server from anywhere on the internet. Restricting the ssh-key is one possibility to reduce the risk of an attacker hacking into your server by obtaining the ssh-key. Of course, if an ssh-key has been compromised, it should be removed from all affected systems and replaced by a new...

0 0

How-to Authorize SSH Access for Remote Client

This little Guide Shows You Step-by-Step How-to Authorize the SSH Remote Access to Server for a Remote Linux/Unix Client.

Practically You will Need to Add an Entry to the Authorized Keys List on the File on Your Home .ssh Directory

How-to Easy Generate SSH Keys Pair:

To Upload the Key to the Server you need the SSH Access Password

For Shared Hosting Account often that’s the Same as the cpanel one.

Upload It by the rsync Command:

rsync -av -e "ssh -p PORT-NUMBER" ~/.ssh/ USERNAME@SERVER-ADDRESS:~/

You need to Substitute PORT-NUMBER, USERNAME and SERVER-ADDRESS with your Hosting Parameters.

SSH Log-In into the Remote:


Normaly now you will be Prompt for the Password to get Access.

Copy the Key into the Authorized List:

cat >> .ssh/authorized_keys

Latest Check than you haven't...

0 0

The cat ~/.ssh/authorized_keys command shows you the authorized_keys file of the currently logged in user. When logged in as root, or using sudo, this will give you the authorized_keys file of the root user.

The authorized_keys file, at least on Ubuntu, is usually owned by the user. So the currently logged in user (root or not) can see it.
The .ssh directory is in the user's home directory, and usually owned by them with read, write and execute privileges; so normally a user should be able to indeed add their own authorized_keys file.

To see all authorized keys, you could just create a script that iterates over all home directories and /root, and prints the .ssh/authorized_keys file. Obviously this script will require sudo privileges.

As a side note, on Ubuntu the root account is usually disabled, because it is a favorite target of attackers. It may not contain an authorized_keys file for this...

0 0

On this page:


Using SSH public-key authentication to connect to a remote system is a robust, more secure alternative to logging in with an account password or passphrase. SSH public-key authentication relies on asymmetric cryptographic algorithms that generate a pair of separate keys (i.e., a key pair), one "private" and the other "public". You keep the private key a secret and store it on the computer you use to connect to the remote system. Conceivably, you can share the public key with anyone without compromising the private key; you store it on the remote system in a .ssh/authorized_keys directory.

To use SSH public-key authentication:

The remote system must have a version of SSH installed. The information in this document assumes the remote system uses OpenSSH, which is generally the case for UITS central systems at Indiana University. If the remote system is using a different version of SSH (e.g., Tectia SSH), the process outlined below...
0 0

Generate RSA keys with SSH by using PuTTYgen

Last updated on: 2016-06-23 Authored by: Rackspace Support

One effective way of securing SSH access to your cloud server is to use a public-private key pair. This means that a public key is placed on the server and a private key is placed on your local workstation. Using a key pair makes it impossible for someone to log in by using just a password, as long as you set up SSH to deny password-based authentication.

This article provides steps for generating RSA keys by using PuTTYgen on Windows for secure SSH authentication with OpenSSH.

Generate keys

In Windows, use PuTTYgen to generate your public and private keys.

If needed, download PuTTYgen from the PuTTY download page. (PuTTYgen might have been installed previously with PuTTY or WinSCP.) Launch the program, and then click the Generate button. The program generates the keys for...
0 0


This article is provided as a courtesy. Installing, configuring, and troubleshooting SSH keys is outside the scope of support provided by (mt) Media Temple. Please take a moment to review the Statement of Support.


An SSH key will let you automatically log into your server from one particular computer without needing to enter your password. This is convenient if you make frequent SSH and scp connections to your server.


You will create an SSH key on your computer, and then configure your server to accept it. This will allow you to automatically log into your server from this computer, without being prompted for your password.


Please do not set up an SSH key on a public or shared computer that does not use individual profiles. This will allow strangers to easily access your server.


SSH configured for a user on your server: SSH on your local computer: this...
0 0

You can create a RSA authentication key to be able to log into a remote site from your account, without having to type your password.

Note that once you've set this up, if an intruder breaks into your account/site, they are given access to the site you are allowed in without a password, too! For this reason, this should never be done from root.

Run ssh-keygen(1) on your machine, and just hit enter when asked for a password.
This will generate both a private and a public key. With older SSH versions, they will be stored in ~/.ssh/identity and ~/.ssh/; with newer ones, they will be stored in ~/.ssh/id_rsa and ~/.ssh/ Next, add the contents of the public key file into ~/.ssh/authorized_keys on the remote site (the file should be mode 600).
If you are a developer and you want to access systems with such a key, it's possible to have the developer database propagate your key to all of the machines. See the LDAP...
0 0

You should never save the file with its contents starting with -----BEGIN RSA PRIVATE KEY----- on the server, that is your private key. Instead, you must put the public key into the ~/.ssh/authorized_keys file.

This public key has the .pub extension when generated using ssh-keygen and its contents begin with ssh-rsa AAAAB3. (The binary format is described in the answers to this question).

The permissions of ~/.ssh on the server should be 700. The file ~/.ssh/authorized_keys (on the server) is supposed to have a mode of 600. The permissions of the (private) key on the client-side should be 600.

If the private key was not protected with a password, and you put it on the server, I recommend you to generate a new one:

ssh-keygen -t rsa

You can skip this if you're fully sure that nobody can recover the deleted private key from the server.

If this does not help, run ssh with options for more verbosity:

ssh -vvv

On the server...

0 0

setting ssh authorized_keys seem to be simple but hides some traps I'm trying to figure

-- SERVER --

in /etc/ssh/sshd_config set passwordAuthentication yes to let server temporary accept password authentication

-- CLIENT --

1. generate private and public keys (client side) # ssh-keygen

here pressing just ENTER you get DEFAULT 2 files "id_rsa" and "" in ~/.ssh/ but if you give a name_for_the_key the generated files are saved in your pwd

2. place the to target machine ssh-copy-id user_name@host_name

if you didn't create default key this is the first step to go wrong ... you should use

ssh-copy-id -i path/to/ user_name@host_name

3. logging ssh user_name@host_name will work only for default id_rsa so here is 2nd trap for you need to ssh -i path/to/key_name user@host

(use ssh -v ... option to see what is happening)

If server still asks for password then you gave smth. to Enter...

0 0

Edit: You should upvote @Iain's answer above. It is complete and accurate. My answer below is geared towards shared private keys - clearly a misunderstanding on my part. I'll leave this answer here, since I consider it a valuable piece of information, just not for this specific question.

I don't know your use-case, but I'm tempted to say "you're doing it wrong."

Each user should have their own kepair. That way, when a user leaves, is transferred, promoted to a management role, or anything else that requires revocation of rights, you just revoke that one key. This also makes effective auditing much, much harder.

If you need users to be able to impersonate other users, they should be configured to do so with sudo. Having shared SSH keys is normally not a good...

0 0

Parent page: Internet and Networking >> SSH

Public key authentication is more secure than password authentication. This is particularly important if the computer is visible on the internet. If you don't think it's important, try logging the login attempts you get for the next week. My computer - a perfectly ordinary desktop PC - had over 4,000 attempts to guess my password and almost 2,500 break-in attempts in the last week alone.

With public key authentication, the authenticating entity has a public key and a private key. Each key is a large number with special mathematical properties. The private key is kept on the computer you log in from, while the public key is stored on the .ssh/authorized_keys file on all the computers you want to log in to. When you log in to a computer, the SSH server uses the public key to "lock" messages in a way that can only be "unlocked" by your private key - this means that even the most resourceful attacker can't snoop on, or...

0 0

SSH keys serve as a means of identifying yourself to an SSH server using public-key cryptography and challenge-response authentication. One immediate advantage this method has over traditional password authentication is that you can be authenticated by the server without ever having to send your password over the network. Anyone eavesdropping on your connection will not be able to intercept and crack your password because it is never actually transmitted. Additionally, using SSH keys for authentication virtually eliminates the risk posed by brute-force password attacks by drastically reducing the chances of the attacker correctly guessing the proper credentials.

As well as offering additional security, SSH key authentication can be more convenient than the more traditional password authentication. When used with a program known as an SSH agent, SSH keys can allow you to connect to a server, or multiple servers, without having to remember or enter your password for each...

0 0

There are different ways to solve this: you can configure either sshd (server-side) or ssh (client-side) not to use password authentication. Disabling password authentication on the server makes your server more secure, but you will be in trouble if you loose your key.

To make ssh (client-side) using pubkey authentication, add some options to the ssh command:

ssh -o PubkeyAuthentication=yes -o PasswordAuthentication=no -X git@server

If this works, you can set the PasswordAuthentication=no option permanently in the ssh client config file /etc/ssh/ssh_config system-wide or ~/.ssh/config user-specific (on details, see man...

0 0

Client configuration files can be per user or system wide, with the former taking precedence over the latter and run-time arguments in the shell overriding both. In these configuration files, one parameter per line is allowed with the parameter name followed by its value or values. Empty lines and lines starting with the hash (#) are ignored. An equal sign (=) can be used instead of whitespace between the parameter name and the values.

Values are case-sensitive, but parameter names are not.

System-wide Client Configuration Files[edit]

System-wide client files set the default configuration for all users of OpenSSH clients on that system. These defaults can be overridden, in many cases, by the user's own default settings in a local configuration file. Both can be overridden, in many cases, by specifying various options or parameters at run time. The prioritization is as follows:

run time arguments via the shell user's own configuration system-wide...
0 0


SSH is a secure protocol used as the primary means of connecting to Linux servers remotely. It provides a text-based interface by spawning a remote shell. After connecting, all commands you type in your local terminal are sent to the remote server and executed there.

In this cheat sheet-style guide, we will cover some common ways of connecting with SSH to achieve your objectives. This can be used as a quick reference when you need to know how to do connect to or configure your server in different ways.

How To Use This Guide

Read the SSH Overview section first if you are unfamiliar with SSH in general or are just getting started. Use whichever subsequent sections are applicable to what you are trying to achieve. Most sections are not predicated on any other, so you can use the examples below independently. Use the Contents menu on the left side of this page (at wide page widths) or your browser's find function to locate the sections you...
0 0

I am having issues with Gitlab. I used the following guide to install and configure Gitlab The installation seemed to go well and all. The web application seems to be working fine. However I am unable to clone, pull, push, basically I essentially cannot use Gitlab. I have seen 403 errors with HTTP and permission denied when trying to clone over SSH.

I have ensured my private keys are setup correctly on both Windows and OS X. I can see the public keys on the server. I added the following to my config file in ~/.ssh.config

Host {hostname} User git Hostname {hostname} PreferredAuthentications publickey IdentityFile C:/Users/{username}/.ssh/id_rsa

This is what I see in /var/log/secure

Jan 14 17:31:48 dev_version_control sshd[3696]: Connection closed by Jan 14 17:32:18 dev_version_control sshd[3700]: Connection closed by

The /var/log/message didn't...

0 0

Based on an article from:

After you have created your instance:

Save the Public DNS, it looks something like

After you have your keypair, run this command

$ ssh -i mykeypair.pem

You should be in now. Cool.

Now set yourself up your own user account.

adduser jkeesh

Adduser is the one you want, that sets up with proper options. The first time I wrote this I used useradd.

(old version)

$ sudo useradd -m jkeesh

-m creates a home directory for the user

$ sudo passwd jkeesh

(end old version)

But you’re cool. You can be root to.

$ sudo visudo

under the line

root ALL=(ALL) ALL

add yourself

jkeesh ALL=(ALL) ALL

Just to show you that you can, enable password authentication

$ sudo vim /etc/ssh/sshd_config...
0 0