Force SSH Client To Use Given Private Key ( identity file )

Recently, my desktop hard disk crashed. So I reinstalled Linux and created a new set of private RSA keys for authentication. However, two of my remote UNIX servers still uses old DSA keys. I do not remember root password for those servers. I do have backup of private and public DSA keys and currently stored in /backup/home/user/.ssh/id_dsa and /backup/home/user/.ssh/ How do I force my ssh clients to use identity file /backup/home/user/.ssh/id_dsa to get back to my remote UNIX servers?

The ssh client allows you to selects a file from which the identity (private key) for RSA or DSA authentication is read. The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2. Identity files may also be specified on a per-host basis in the configuration file. It is possible to have multiple -i options (and multiple identities specified in configuration files). The syntax is as follows:

ssh -i /path/to/id_rsa
ssh -i /path/to/id_dsa

To use /backup/home/user/.ssh/id_dsa, enter:

ssh -i /backup/home/user/.ssh/id_dsa

~/.ssh/config SSH Client Configuration

You can set identity file in ~/.ssh/config as follows:
vi ~/.ssh/config
Add both host names and their identity file as follows:

  IdentityFile ~/backups/.ssh/id_dsa
  IdentityFile /backup/home/userName/.ssh/id_rsa

You can add other settings per host such as port number, X11 forwarding, real hostnames and much more. Save and close the file. You can connect as follows:


Recommended readings:

  • See the ssh_config and sshd man page for more information.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 11 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
11 comments… add one
  • sujit May 18, 2010 @ 10:49

    Hi friends, it is good. but i am looking for configuration of Central authentication server for ssh login. If you can kindly let me know how to direct the client for the server and how the key pairs to dealt with and so on.. … … thanks

  • Niels van Dijk Dec 2, 2010 @ 10:22

    Thank you, I was looking for this

  • Chester May 29, 2012 @ 21:02

    Thanks, I always forget -i !

  • davison Jul 4, 2013 @ 8:10

    Hello nixcraft,

    I have a query here. I am not able to do this process successfully.
    I have a private key(id_rsa) of a server. I want to log into the server using this private key.
    I have tried your solution
    ssh -i /path/of/id_rsa 192.168.xx.xx
    but it asks password of the server. I don’t have password.
    I can’t save my public key in .ssh directory of server as a authorized_keys because I don’t know the password. Please help me to log into server using private key (that’s all I have) of the server.

    Kind Regards

    • machoo Aug 22, 2013 @ 21:17

      This isn’t intended for getting you access to an account and server that you don’t know the password for. You must know the password for the account on the server so that you can save your public key to the server. This makes the login process easier.

  • Sébastien Pillien Jul 21, 2013 @ 5:46

    First of all, sorry for my poor english
    Here’s What i don’t understand:
    – my ssh config file is like that:
    IdentityFile ~/.ssh/id_rsa
    – ssh -i works
    – ssh works (of course)
    but ssh -v shows me that ssh tries to connect with other keys before this one.
    How can i force id_rsa to be the first key to connect ?
    Best regards

  • Olivier Mengué (DOLMEN) Sep 20, 2013 @ 10:26

    @ Sébastien
    You must use the IdentitiesOnly option in ~/.ssh/config to force SSH to ignore the other keys.
    If you need this SSH feature for Github accounts, you may be interested in my tool

  • Alexis Jul 5, 2014 @ 13:14

    Legend, thanks for this post. I made a new key value pair without passphrase for easy access to some servers. Putting the file path in a Host declaration in .ssh/config file was a great tip!

  • Dave Feb 8, 2015 @ 21:45

    Heh. Uhoh! Well, thanks for locking me out of my own headless server. :) “Permission denied (publickey,keyboard-interactive).” Now I’ve got to pull it out and hook up a monitor again.

  • Dan Jul 23, 2015 @ 3:11

    @Sujit (5 years ago) you have probably discovered openLDAP can do this by now.

    @Dave (5 months ago) in the future, when making changes to the ssh service, keep one terminal logged in and test with a second terminal to prevent lockouts. You might also consider creating a second account with admin privileges that you can use to get the primary account out of trouble without connecting a keyboard and monitor to get to the console.

    Also, has everyone discovered the Allow/Deny Users/Groups settings in sshd_config? Adding system accounts/groups to the Deny(Users|Groups) lists, knowing that they should “never” be connecting to your server remotely [using ssh anyway] is a good way to increase security. This is especially useful for private, single user, servers connected to the internet.
    If your server is dual homed, you can also lock down access to your local/internal network by changing the ListenAddress from (IPv4) to just your LAN IP address. If you do not have IPv6 on your network, you should comment out the ListenAddress :: line.

  • Luis Jun 11, 2017 @ 6:58

    Thanks, this helped me!

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum