Here's what happened. On the machines I was trying to reach (10.x.y.182 and 10.x.y.194), in the time when I was not using them they had their hard disks replaced and the OS reinstalled. This gave them new SSH keys, invalidating the ones I had in my ~/.ssh/known_hosts file. Unfortunately, Terminal.app did not surface this problem to me.
By deleting the entries for those machines in ~/.ssh/known_hosts, I forced the system to pull down the new keys and ask me if I wanted to use them. With this done, connections worked perfectly as usual. Oddly, however, even before I changed ~/.ssh/known_hosts, connections using the DNS name of the machine (svr10 and svr20) worked. Weird.
Thanks, everyone, who looked at this problem.
On Reusing Your Windows key.ppk
File
The PPK file is a PuTTY-specific private key. It's not a portable private key that works with any ssh-based application. It just works with PuTTY. You need to convert it first. I've found some instructions for converting it to a proper public/private key pair here. You'll need to do this from your Windows machine.
That will give you a private key, key.ssh
, that will work with ssh on your Mac. Put the key.ssh
file in your ~/.ssh/
directory. Make sure the permissions are correct:
% chmod 400 ~/.ssh/key.ssh
And then you can use it with your ~/.ssh/config
file like so:
Host domain.com
IdentityFile ~/.ssh/key.ssh
User username
If you no longer have access to your Windows machine you'll need to generate a fresh public/private key pair to use with your web server.
On Generating a Fresh Keypair To Use With Your Mac
Honestly, this is the best way to go here.
Password-less authentication with shared keys requires that both machines have a piece of the shared/public key pieces. Here's a complete recipe for setting up a shared key authentication scheme with two servers. It's not really OS X-specific. It's ssh-specific.
These instructions assume host1 is your Mac and host2 is your web server.
Generate a shared key on host1 (the shared key will be /Users/you/.ssh/webserver.pub
and the private key will be /Users/you/.ssh/webserver
):
% ssh-keygen -t rsa -b 2048 -f ~/.ssh/webserver
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in webserver.
Your public key has been saved in webserver.pub.
The key fingerprint is:
98:b7:fa:0f:0d:e7:7f:50:cc:9b:b4:57:db:8d:b4:03 ian@Ian-Chesals-iMac.local
The key's randomart image is:
+--[ RSA 2048]----+
| |
| |
| o |
| o E * .|
| o S . = *=|
| . * . B.+|
| o o . o |
| . . . . |
| ..... .. |
+-----------------+
Note: I didn't enter a password for the key because I don't want to have to use a password when I use the use.
Now you need to append the ~/.ssh/webserver.pub
public key to the ~user/.ssh/authorized_keys
file on host2, your webserver.
% ssh user@host2 'mkdir ~/.ssh;echo '`cat ~/.ssh/webserver.pub`' >> ~/.ssh/authorized_keys'
For this to work you will need password access to the remote host. If you don't have this you can give ~/.ssh/webserver.pub
to someone who does have access to the box and ask them to append it to the authorized_keys
file for you perhaps. Or do it from your windows machine where you still have access.
Now make sure your private key is safe on your Mac:
% chmod 400 ~/.ssh/webserver*
ssh can get complain-y if your private/public keypairs are world readable or writeable.
Finally, you can add the following to your ~/.ssh/config
file to invoke the right key combination when you try to ssh in to your web server:
Host domain.com
IdentityFile ~/.ssh/webserver
User username
This will get you the password-less, keypair-based authentication you desire.
Best Answer
Look to the title of the window, or the title of the tab if you are using several tabs:
Assuming a worst case when you are unable to change remote's prompt, edit you mac's terminal prompt in order to make most clear if the terminal is at a client of a Mac of yours.
If you use Tmux, configure non defaults
status-fg
status-bg
so that your Mac's local terminals use a different Tmux color than what is configured at your servers.