≡ Menu

Force SSH Client To Use Given Private Key ( identity file )

Recently, my desktop hard disk crashed. So I reinstalled Linux and created a new set of private RSA keys for authentication. However, two of my remote UNIX servers still uses old DSA keys. I do not remember root password for those servers. I do have backup of private and public DSA keys and currently stored in /backup/home/user/.ssh/id_dsa and /backup/home/user/.ssh/id_dsa.pub. How do I force my ssh clients to use identity file /backup/home/user/.ssh/id_dsa to get back to my remote UNIX servers?

The ssh client allows you to selects a file from which the identity (private key) for RSA or DSA authentication is read. The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2. Identity files may also be specified on a per-host basis in the configuration file. It is possible to have multiple -i options (and multiple identities specified in configuration files). The syntax is as follows:

ssh -i /path/to/id_rsa user@server.nixcraft.com
ssh -i /path/to/id_dsa user@server2.nixcraft.net.i

To use /backup/home/user/.ssh/id_dsa, enter:

ssh -i /backup/home/user/.ssh/id_dsa user@unixserver1.nixcraft.com

~/.ssh/config SSH Client Configuration

You can set identity file in ~/.ssh/config as follows:
vi ~/.ssh/config
Add both host names and their identity file as follows:

Host server1.nixcraft.com
  IdentityFile ~/backups/.ssh/id_dsa
Host server2.nixcraft.com
  IdentityFile /backup/home/userName/.ssh/id_rsa

You can add other settings per host such as port number, X11 forwarding, real hostnames and much more. Save and close the file. You can connect as follows:

ssh user@server2.nixcraft.com
ssh root@server1.nixcraft.com

Recommended readings:

  • See the ssh_config and sshd man page for more information.
Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

{ 10 comments… add one }

  • sujit May 18, 2010, 10:49 am

    Hi friends, it is good. but i am looking for configuration of Central authentication server for ssh login. If you can kindly let me know how to direct the client for the server and how the key pairs to dealt with and so on.. … … thanks

  • Niels van Dijk December 2, 2010, 10:22 am

    Thank you, I was looking for this

  • Chester May 29, 2012, 9:02 pm

    Thanks, I always forget -i !

  • davison July 4, 2013, 8:10 am

    Hello nixcraft,

    I have a query here. I am not able to do this process successfully.
    I have a private key(id_rsa) of a server. I want to log into the server using this private key.
    I have tried your solution
    ssh -i /path/of/id_rsa 192.168.xx.xx
    but it asks password of the server. I don’t have password.
    I can’t save my public key in .ssh directory of server as a authorized_keys because I don’t know the password. Please help me to log into server using private key (that’s all I have) of the server.
    Thanks

    Kind Regards
    dave

    • machoo August 22, 2013, 9:17 pm

      This isn’t intended for getting you access to an account and server that you don’t know the password for. You must know the password for the account on the server so that you can save your public key to the server. This makes the login process easier.

  • Sébastien Pillien July 21, 2013, 5:46 am

    Hello
    First of all, sorry for my poor english
    Here’s What i don’t understand:
    – my ssh config file is like that:
    Host myserver.org
    IdentityFile ~/.ssh/id_rsa
    – ssh -i works
    – ssh works (of course)
    but ssh -v shows me that ssh tries to connect with other keys before this one.
    How can i force id_rsa to be the first key to connect ?
    Best regards

  • Olivier Mengué (DOLMEN) September 20, 2013, 10:26 am

    @ Sébastien
    You must use the IdentitiesOnly option in ~/.ssh/config to force SSH to ignore the other keys.
    If you need this SSH feature for Github accounts, you may be interested in my tool https://github.com/dolmen/github-keygen

  • Alexis July 5, 2014, 1:14 pm

    Legend, thanks for this post. I made a new key value pair without passphrase for easy access to some servers. Putting the file path in a Host declaration in .ssh/config file was a great tip!

  • Dave February 8, 2015, 9:45 pm

    Heh. Uhoh! Well, thanks for locking me out of my own headless server. :) “Permission denied (publickey,keyboard-interactive).” Now I’ve got to pull it out and hook up a monitor again.

  • Dan July 23, 2015, 3:11 am

    @Sujit (5 years ago) you have probably discovered openLDAP can do this by now.

    @Dave (5 months ago) in the future, when making changes to the ssh service, keep one terminal logged in and test with a second terminal to prevent lockouts. You might also consider creating a second account with admin privileges that you can use to get the primary account out of trouble without connecting a keyboard and monitor to get to the console.

    Also, has everyone discovered the Allow/Deny Users/Groups settings in sshd_config? Adding system accounts/groups to the Deny(Users|Groups) lists, knowing that they should “never” be connecting to your server remotely [using ssh anyway] is a good way to increase security. This is especially useful for private, single user, servers connected to the internet.
    If your server is dual homed, you can also lock down access to your local/internal network by changing the ListenAddress from 0.0.0.0 (IPv4) to just your LAN IP address. If you do not have IPv6 on your network, you should comment out the ListenAddress :: line.

Leave a Comment