How do I add SSH Keys to authorized_keys file?

Question

I have an Ubuntu server on Amazon EC2, that I use for development, and today I stupidly cleared everything out of my ~/.ssh/authorized_keys file. Luckily I have an SSH open, so I am still connected, and can fix the file, but when I try to put my key file back, it doesn't work. I still get permission denied from the server on my local machine.

authorized_keys has the permissions 600. I have tried appending my SSH key with ssh-rsa and leaving the ssh-rsa off. I also tried making the SSH key all one line, but that didn't work either.

Is there something else that I have to do like reload the file some how?

Years later, this -still- seems relevant & active; only wanted to make an observation, talk about having had dodged a bullet: "Luckily I have an SSH open, so I am still connected [..]" - sheesh! ;dP — Nostromov, Mar 15 '16 at 02:23
This post, which was edited on my birthday, saved me two months ago on my birthday. — rassa45, Aug 16 '18 at 03:02

score 304 · Accepted Answer · edited May 23 '17 at 12:39

304

You should never save the file with its contents starting with -----BEGIN RSA PRIVATE KEY----- on the server, that is your private key. Instead, you must put the public key into the ~/.ssh/authorized_keys file.

This public key has the .pub extension when generated using ssh-keygen and its contents begin with ssh-rsa AAAAB3. (The binary format is described in the answers to this question).

The permissions of ~/.ssh on the server should be 700. The file ~/.ssh/authorized_keys (on the server) is supposed to have a mode of 600. The permissions of the (private) key on the client-side should be 600.

If the private key was not protected with a password, and you put it on the server, I recommend you to generate a new one:

ssh-keygen -t rsa

You can skip this if you're fully sure that nobody can recover the deleted private key from the server.

If this does not help, run ssh with options for more verbosity:

ssh -vvv user@example.com

On the server side, you can review /var/log/auth.log for details.

edited May 23 '17 at 12:39

Community

1

answered Jun 01 '11 at 16:29

Lekensteyn

174,277

1

With Amazon EC2 servers all I get is the private key (key.pem). I don't have a public key anywhere. – Dave Long Jun 01 '11 at 17:04
4

@Dave Long: You must generate a new key using ssh-keygen -t rsa and put the newly created id_rsa.pub file in ~/.ssh/authorized_keys on your server. See also http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/generating-a-keypair.html – Lekensteyn Jun 01 '11 at 17:33
21

@DaveLong: You can generate the public key from the private key at any time. You can do this simply with the following command:
ssh-keygen -y -f key.pem > key.pub
– Morgan Blackthorne May 17 '13 at 00:40
7

@MorganBlackthorne While that is true, I would recommend generating your private keys rather than accepting one from remote sources. You cannot be fully sure that the private key did not get leaked. – Lekensteyn May 17 '13 at 08:49
I think the AAAA3B should be AAAAB3 (note the B3 vs 3B). I tried to edit, but I can't since it's only a 1 character change. – Gabriel Southern Dec 14 '13 at 00:01
@Gabriel Fixed. – Lekensteyn Dec 14 '13 at 00:52
not fixed, actually – Gerrat May 31 '14 at 19:02
3

@Gerrat Fixed². – Lekensteyn May 31 '14 at 19:59
Why the requirement for using authorized_keys file? Can this be overridden to use id_rsa.pub or myfile? – Kyle Coots Dec 22 '15 at 03:56
@KyleC. If you want to use your own SSH key to SSH to your own machine, you can put a symlink: ln -s id_rsa.pub ~/.ssh/authorized_keys. The .ssh/authorized_keys path is the default value for the AuthorizedKeysFile setting of sshd (see man sshd_config). – Lekensteyn Dec 24 '15 at 09:14
ssh -vv is handy for troubleshooting various ssh issues – Harikrishnan Sep 27 '22 at 09:39

score 274 · Answer 2 · edited Dec 25 '22 at 04:29

274

An alternative way to install your public key in the remote machine's authorized_keys:

cat ~/.ssh/id_rsa.pub | ssh USER@HOST "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Some advantages:

does not require ssh-copy-id to be installed.
guarantees that mkdir works before attempting to append id_rsa.pub to authorized_keys.

There is a chance that a newly created authorized_keys file or .ssh folder will not have the correct file permissions. This may result in ssh attempting to fallback to password authentication (if it is still enabled).

To fix this, log back in the server and run:

chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys

See this answer for more details, as well as the other answer to this question.

edited Dec 25 '22 at 04:29

NotTheDr01ds

17,888

answered Feb 27 '13 at 19:31

Marius Butuc

4,811

18

Your answer helped me to do this on multiple remote machines without any additional packages, thank you. – nol Mar 07 '14 at 10:06
1

This doesn't guarantee that the "~/.ssh" directory and "~/.ssh/authorized_keys" file will be created with the correct permissions. – Nick Jun 04 '14 at 05:55
1

@Nick, I had that problem. So then perhaps one must really first check for their existence, if missing create properly with chmod (700/folder, 600/file), and only then add? so then maybe it can't be a one liner? – AnneTheAgile Aug 07 '14 at 03:52
11

@AnneTheAgile I think changing the mkdir -p ~/.ssh part of the answer given by @MariusButuc to umask 077 && mkdir -p ~/.ssh is all you need to do to ensure that it will work properly. – Nick Aug 07 '14 at 14:02
1

ty @Nick! I will give it a go. – AnneTheAgile Aug 07 '14 at 21:02
Really saved my bacon. I already had access on a remote machine from my laptop but not from one of my servers and the remote machine didn't accept passwd authentication so the only way to add keys was to authenticate using the machine that already had a key in the authorised file – Garikai Dzoma Apr 10 '22 at 04:14
Need to first touch ~/.ssh/authorized_keys if the file doesn't exist. – Fisher Aug 22 '22 at 14:36
1

@Nick or, in a single command, mkdir -m 0700 -p ~/.ssh – MestreLion Jun 03 '23 at 01:48

score 179 · Answer 3 · edited Feb 27 '13 at 19:30

179

If you have login based authentication then use ssh-copy-id to append your public keys to remote server.

ssh-copy-id user@host

edited Feb 27 '13 at 19:30

Marius Butuc

4,811

answered Jun 01 '11 at 16:32

Shoaib Nawaz

2,249

1

That doesn't seem to be a valid command on Mac, which is what my client machine is. – Dave Long Jun 01 '11 at 17:05
1

May be helpful http://phildawson.tumblr.com/post/484798267/ssh-copy-id-in-mac-os-x – Shoaib Nawaz Jun 01 '11 at 17:23
16

on OSX you can install with brew: brew install ssh-copy-id – phil Nov 21 '13 at 00:26
On Macports, this command can be installed using sudo port install openssh +ssh_copy_id. The +ssh_copy_id installs openssh with the ssh_copy_id variant. – Stefan Lasiewski Sep 18 '14 at 22:23
7

Note that the instructions on phildawson.tumblr.com ask you to install untrusted software, as root. This is quite dangerous and a good way to get hacked, unless you know you can trust the author. – Stefan Lasiewski Sep 18 '14 at 22:24

jjg · Answer 4 · 2021-11-10T00:00:08.130

51

local> scp .ssh/id_rsa.pub remote.com:
local> ssh remote.com
remote> cat id_rsa.pub >> .ssh/authorized_keys
remote> rm id_rsa.pub
remote> exit

edited Nov 10 '21 at 00:00

answered Jun 01 '11 at 18:23

jjg

1,427

score 26 · Answer 5 · answered Sep 07 '15 at 18:42

26

Easiest way is to copy and paste...

First view/copy the contents of your local public key id_rsa.pub including the beginning "ssh-rsa" until it ends with your email address:

cat ~/.ssh/id_rsa.pub

Then edit authorized_keys on the server and paste contents of your clipboard below any other keys in that file:

nano ~/.ssh/authorized_keys

And save Ctl+O, exit the file Ctl+X, exit the SSH session exit and try logging back in to confirm it worked. If it didn't ask for a password it worked.

answered Sep 07 '15 at 18:42

ow3n

423
4
9

That's far from the easiest and begs mistakes to happen which will corrupt the file. catenating the key into the authorized_keys file is MUCH safer. – RichieHH Nov 30 '20 at 03:14
2

I disagree. It would take a lot of talent to mistype “cat” and highlight lines that were obviously not part of the file. – ow3n Nov 30 '20 at 13:20
2

It's good to know that it's no more than copy/paste into the auth keys file. – Danijel May 11 '22 at 12:51

score 7 · Answer 6 · edited Dec 07 '16 at 22:35

Get a shell on the remote machine where you want to put the key and then you can run this one-liner to create the necessary files and directories, set their permissions and append the key to the file. Of course you have to change the KEYGOESHERE part below and the comment after it.

mkdir -p ~/.ssh && chmod 700 ~/.ssh && touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo "ssh-rsa KEYGOESHERE user@remotehost or note" >> ~/.ssh/authorized_keys

eco · Answer 7 · 2016-07-21T00:14:30.897

I thought I can contribute to this since it is about AWS instances specifically and all the answers only treat the problem as a Linux issue, as if it was a piece of hardware. First thing you need to understand is that you should never, ever, don't treat EC2 instances as hardware. That's just going to create more work for you Treat them as volatile. That's the biggest hurdle I see people having with AWS. Make an AMI of your instance and inject the key you need into the new instance. cloud-init will take care of it for you. In more detail all you have to do is use the correct public key when creating the new instance out of the AMI of the original. If, like in the comments of the approved answer you want to generate your own key pair of pub and pem files AWS provides you with the option to upload your public keys for use in EC2.

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#how-to-generate-your-own-key-and-import-it-to-aws

score 3 · Answer 8 · answered Apr 23 '14 at 19:59

3

After saving public key you should save the private key into a directory and file on your pc. And in the auth section of ssh on putty you should point to the private key file that you saved on your desktop. It will work. It works for me.

answered Apr 23 '14 at 19:59

user273266

31

1

I would just love it if windows console could have all the ssh functionality added into it's interpreter – Dennis Nov 09 '14 at 01:46

score 1 · Answer 9 · edited Dec 07 '16 at 22:36

1

Here's a variation whereby you might have a list of public key filenames in a text file and the big batch of public key files are also in the same directory.

This variation can be helpful if you were giving a huge list of public key files to import :-)

$ for i in $(cat ListOfPubKeyFiles.txt) ; do cat $i | ssh User@Hostname "cat >> ~/.ssh/authorized_keys"; done

edited Dec 07 '16 at 22:36

Zanna

70,465

answered Aug 23 '16 at 17:32

jlmontes

53
2

How do I add SSH Keys to authorized_keys file?

9 Answers9

Linked

Related