copy ssh private keys to another computer

Question

I need to use another computer to access my ssh server. This is because a recently implemented vpn at my university doesn't work on my current computer and I have lost access to the server.

I ssh via encrypted ssh keys. Can I copy these keys to the new computer (on which the vpn works). I tried copying the id_rsa and id_rsa.pub files in the ~/.ssh folder but it doesn't recognize the keys and there is no prompt to input a password to decrypt the keys.

EDIT: I can't access the server to generate a new key pair for the new computer and am out of the country so can't physically access it.

Thanks.

You might learn more about the problem by trying ssh -v -i ~/.ssh/id_rsa ssh-server. — ændrük, May 10 '12 at 13:57
tried that. It seems to send the keys but never asks for a password to unencrypt them. I also get a strange generic message "Roaming not allowed by server". Guess private keys are just not meant to be copied ;). Looks like I'm just going to have to trust someone with physical access to manually log into my server and change the ssh settings. Thanks for your help. — benj, May 11 '12 at 08:41
Private keys should never be copied! THIS IS A SECURITY RISK. Generate new keys for every new device!!!! — Ether, Jun 21 '19 at 17:43
@Ether Is that true? What if you need to reformat a machine? Just blow away the key and start fresh? — nipponese, Nov 07 '19 at 18:21

score 84 · Accepted Answer · answered May 10 '12 at 13:40

84

Check the permissions and ownership of your private key file. From the manual,

These files contain sensitive data and should be readable by the user but not accessible by others (read/write/execute). ssh will simply ignore a private key file if it is accessible by others.

Typically the key files should look like this,

$ ls -l ~/.ssh/id_rsa*
-rw------- 1 benj benj 1766 Jun 22  2011 .ssh/id_rsa
-rw-r--r-- 1 benj benj  388 Jun 22  2011 .ssh/id_rsa.pub

which you can enforce via:

$ chown benj:benj ~/.ssh/id_rsa*
$ chmod 600 ~/.ssh/id_rsa
$ chmod 644 ~/.ssh/id_rsa.pub

answered May 10 '12 at 13:40

ændrük

76,794

2

thanks. That's useful to know. When you copy a file to another computer the permissions do seem to change to that user. I ran the chmod and chown scripts in case. Unfortunately it didn't help my issue. – benj May 11 '12 at 08:35
@Johnツ this might have been part of the problem for me but there appeared to be other issues. I eventually got someone to physically login to the server and set up a new key. But will accept this as it probably covers a key issue. – benj Dec 13 '13 at 15:27
It worked for me, @benj . – Sinthia V Feb 16 '19 at 01:00
None of which means diddly squat if someone mounts the drive using a sysrescue. – RichieHH Jan 09 '20 at 20:37
I had id_rsa mode 644 working for years. I installed a fresh 20.04 on the same formated disk and copied the id_rsa backup. Had to chmod 600 to get the key recognized. – dstonek Jan 31 '21 at 16:25

score 16 · Answer 2 · edited Jan 16 '13 at 12:35

16

Try running ssh-add before you SSH into the server - you should then be prompted for the password and then subsequent ssh connects can use your private key.

The ssh-add command adds the keys to the key agent.

edited Jan 16 '13 at 12:35

gertvdijk

67,947

answered Jan 16 '13 at 11:41

1

I don't think this is the issue, as 1) the SSH client can cope without a functional key agent, 2) the server wouldn't respond with the "roaming not allowed" message and 3) the ssh client would have it's own error message when talking to the key agent fails in some way. I've made my thoughts about it an answer. – gertvdijk Jan 16 '13 at 12:44
This fixed the problem for me. Also see Github documentation for this. – Ionică Bizău Aug 21 '13 at 05:03

gertvdijk · Answer 3 · 2013-01-20T21:04:54.367

Encrypted private keys hold their corresponding public key unencrypted. This is how the SSH client can connect to the remote server without asking you the password (it only offers the public part at that point). Whenever the server accepts the public key, the client on your PC wants to decrypt the private key and will ask you for the passphrase.

Now, whenever the server only accepts connection from a specific IP address, this is declined already in the first step and explains the message you got from the server "Roaming not allowed by server".

So, my best guess is that your server is restricted in some way to allow only specific IP addresses for this key. You can do this in several ways, but this is a common one in ~/.ssh/authorized_keys:

from="192.168.1.2" ssh-rsa AAAAB3NzaC[...]

To prove that you can read the public key out of an encrypted private key without password, run:

ssh-keygen -y -f /path/to/private/key

This is a good helpful process for getting to an answer when you have a problem with SSH connection. Thank you. — Sinthia V, Feb 16 '19 at 01:07

copy ssh private keys to another computer

3 Answers3

Linked

Related