Force SSH Client To Use Given Private Key ( identity file )

Posted on in Categories last updated May 17, 2010

Recently, my desktop hard disk crashed. So I reinstalled Linux and created a new set of private RSA keys for authentication. However, two of my remote UNIX servers still uses old DSA keys. I do not remember root password for those servers. I do have backup of private and public DSA keys and currently stored in /backup/home/user/.ssh/id_dsa and /backup/home/user/.ssh/ How do I force my ssh clients to use identity file /backup/home/user/.ssh/id_dsa to get back to my remote UNIX servers?

The ssh client allows you to selects a file from which the identity (private key) for RSA or DSA authentication is read. The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2. Identity files may also be specified on a per-host basis in the configuration file. It is possible to have multiple -i options (and multiple identities specified in configuration files). The syntax is as follows:

ssh -i /path/to/id_rsa
ssh -i /path/to/id_dsa

To use /backup/home/user/.ssh/id_dsa, enter:

ssh -i /backup/home/user/.ssh/id_dsa

~/.ssh/config SSH Client Configuration

You can set identity file in ~/.ssh/config as follows:
vi ~/.ssh/config
Add both host names and their identity file as follows:

  IdentityFile ~/backups/.ssh/id_dsa
  IdentityFile /backup/home/userName/.ssh/id_rsa

You can add other settings per host such as port number, X11 forwarding, real hostnames and much more. Save and close the file. You can connect as follows:


Recommended readings:

  • See the ssh_config and sshd man page for more information.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

11 comment

  1. Hi friends, it is good. but i am looking for configuration of Central authentication server for ssh login. If you can kindly let me know how to direct the client for the server and how the key pairs to dealt with and so on.. … … thanks

  2. Hello nixcraft,

    I have a query here. I am not able to do this process successfully.
    I have a private key(id_rsa) of a server. I want to log into the server using this private key.
    I have tried your solution
    ssh -i /path/of/id_rsa 192.168.xx.xx
    but it asks password of the server. I don’t have password.
    I can’t save my public key in .ssh directory of server as a authorized_keys because I don’t know the password. Please help me to log into server using private key (that’s all I have) of the server.

    Kind Regards

    1. This isn’t intended for getting you access to an account and server that you don’t know the password for. You must know the password for the account on the server so that you can save your public key to the server. This makes the login process easier.

  3. Hello
    First of all, sorry for my poor english
    Here’s What i don’t understand:
    – my ssh config file is like that:
    IdentityFile ~/.ssh/id_rsa
    – ssh -i works
    – ssh works (of course)
    but ssh -v shows me that ssh tries to connect with other keys before this one.
    How can i force id_rsa to be the first key to connect ?
    Best regards

  4. Legend, thanks for this post. I made a new key value pair without passphrase for easy access to some servers. Putting the file path in a Host declaration in .ssh/config file was a great tip!

  5. Heh. Uhoh! Well, thanks for locking me out of my own headless server. :) “Permission denied (publickey,keyboard-interactive).” Now I’ve got to pull it out and hook up a monitor again.

  6. @Sujit (5 years ago) you have probably discovered openLDAP can do this by now.

    @Dave (5 months ago) in the future, when making changes to the ssh service, keep one terminal logged in and test with a second terminal to prevent lockouts. You might also consider creating a second account with admin privileges that you can use to get the primary account out of trouble without connecting a keyboard and monitor to get to the console.

    Also, has everyone discovered the Allow/Deny Users/Groups settings in sshd_config? Adding system accounts/groups to the Deny(Users|Groups) lists, knowing that they should “never” be connecting to your server remotely [using ssh anyway] is a good way to increase security. This is especially useful for private, single user, servers connected to the internet.
    If your server is dual homed, you can also lock down access to your local/internal network by changing the ListenAddress from (IPv4) to just your LAN IP address. If you do not have IPv6 on your network, you should comment out the ListenAddress :: line.

Comments are closed.