Here's what happened. On the machines I was trying to reach (10.x.y.182 and 10.x.y.194), in the time when I was not using them they had their hard disks replaced and the OS reinstalled. This gave them new SSH keys, invalidating the ones I had in my ~/.ssh/known_hosts file. Unfortunately, Terminal.app did not surface this problem to me.

By deleting the entries for those machines in ~/.ssh/known_hosts, I forced the system to pull down the new keys and ask me if I wanted to use them. With this done, connections worked perfectly as usual. Oddly, however, even before I changed ~/.ssh/known_hosts, connections using the DNS name of the machine (svr10 and svr20) worked. Weird.

Thanks, everyone, who looked at this problem.

On Reusing Your Windows key.ppk File

The PPK file is a PuTTY-specific private key. It's not a portable private key that works with any ssh-based application. It just works with PuTTY. You need to convert it first. I've found some instructions for converting it to a proper public/private key pair here. You'll need to do this from your Windows machine.

That will give you a private key, key.ssh, that will work with ssh on your Mac. Put the key.ssh file in your ~/.ssh/ directory. Make sure the permissions are correct:

% chmod 400 ~/.ssh/key.ssh

And then you can use it with your ~/.ssh/config file like so:

Host domain.com
  IdentityFile ~/.ssh/key.ssh
  User username

If you no longer have access to your Windows machine you'll need to generate a fresh public/private key pair to use with your web server.

On Generating a Fresh Keypair To Use With Your Mac

Honestly, this is the best way to go here.

Password-less authentication with shared keys requires that both machines have a piece of the shared/public key pieces. Here's a complete recipe for setting up a shared key authentication scheme with two servers. It's not really OS X-specific. It's ssh-specific.

These instructions assume host1 is your Mac and host2 is your web server.

Generate a shared key on host1 (the shared key will be /Users/you/.ssh/webserver.pub and the private key will be /Users/you/.ssh/webserver):

% ssh-keygen -t rsa -b 2048 -f ~/.ssh/webserver
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in webserver.
Your public key has been saved in webserver.pub.
The key fingerprint is:
98:b7:fa:0f:0d:e7:7f:50:cc:9b:b4:57:db:8d:b4:03 ian@Ian-Chesals-iMac.local
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|             o   |
|       o    E * .|
|      o S .  = *=|
|       . *  . B.+|
|        o o  . o |
|       . . .  .  |
|      ..... ..   |
+-----------------+

Note: I didn't enter a password for the key because I don't want to have to use a password when I use the use.

Now you need to append the ~/.ssh/webserver.pub public key to the ~user/.ssh/authorized_keys file on host2, your webserver.

% ssh user@host2 'mkdir ~/.ssh;echo '`cat ~/.ssh/webserver.pub`' >> ~/.ssh/authorized_keys'

For this to work you will need password access to the remote host. If you don't have this you can give ~/.ssh/webserver.pub to someone who does have access to the box and ask them to append it to the authorized_keys file for you perhaps. Or do it from your windows machine where you still have access.

Now make sure your private key is safe on your Mac:

% chmod 400 ~/.ssh/webserver*

ssh can get complain-y if your private/public keypairs are world readable or writeable.

Finally, you can add the following to your ~/.ssh/config file to invoke the right key combination when you try to ssh in to your web server:

Host domain.com
  IdentityFile ~/.ssh/webserver
  User username

This will get you the password-less, keypair-based authentication you desire.