Ssh – How to merge keys, or handle keys with the same file name

osxsshssh-keygen

I created a key for logging into a server (using ssh-keygen) with the name id_rsa, and so in my .ssh directory there is id_rsa.pub and id_rsa.

The reason I used this name, is because when I tried other names, they didn't work with my server (I couldn't log in for some reason).

I setup a new server today (and generated the key on a different computer). But the key names is also id_rsa.

So how do I use the same key on my macbook pro (OSX), which already has a key named id_rsa, which is still in use (I can't get rid of it, as I need to use it to log into some other servers) ?

Best Answer

Generally speaking SSH keys identify clients, not servers (well, at least for the keys in ~/.ssh). The recommended approach is to generate one key per client, as you’ve done effectively, and to add all the appropriate public keys to ~/.ssh/authorized_keys on the servers/accounts you need to access.

So on your Macbook Pro, you wouldn’t add the new server’s key, you’d add your existing key (stored on the Macbook) to the new server, typically by using

ssh-copy-id <username>@<server>

If that doesn’t work,

cat ~/.ssh/id_rsa.pub

on your Macbook and copy/paste that at the end of ~/.ssh/authorized_keys on the server.

Each account you need to use on each server will end up with a ~/.ssh/authorized_keys looking something like

ssh-rsa AAAAuifi4poojaixahV8thaQu3eQueex0iequ7Eephua4sai8liwiezaic8othisieseepheexaa1zohdouk5ooxas0aoN9ouFa3ejuiK2odahy8Opaen0Niech4Vaegiphagh4EileiHuchoovusu3awahmo4hooShoocoshi3zohw4ieShaivoora7ruuy7igii3UkeeNg5oph6ohN4ciepaifee8ipas9Gei4cee1SohSoo2oCh5ieta5ohQu6eu5PhoomuxoowigaeH2ophau0xo5phoosh3mah7cheD3ioph1FeeZaudiMei4eighish3deixeiceangah5peeT8EeCheipaiLoonaaPhiej0toYe6== user1@host1
ssh-rsa AAAAsaengaitoh4eiteshijee8ohFichah1chaesh4Oeroh2Chae8aich2os1akoh4Waifee5dai3roethah9oojahnietaexo0ia0xiegheixaiwo8aeshui8uZ4chooCohtei8ooMieloo0pahghaeShooth3zae7eigoSe9arei0lohpeij4aeJ3sahfahviaNiejoozeu1zooth8meibooph5IeGuun1lothiur6aleaw8shuof6fah7ooboophoo8nae6aipieshahcae4ShochohZoh4gohX7aes7aes4bo1eiNaeng7Eeghoh6Ge3Maenoh0qui1eiphahWotahGai8ohYohchuubohp3va5dohs== user2@host1
ssh-rsa AAAA3Zohquoh8UavooveiF0aGho8tokaduih4eosai4feiCoophie7ekisuoNii0raizaighahfaik6aibeviojabee1Sheifo8mae0tiecei4Bai8gaiyahvo1eememofiesai0Teyooghah6iovi1zaibie3aePaFeishie0Pheitahka0FaisieVeuceekooSoopoox7Ahhaed2oi6Faeph1airaizee7Aeg8Aiya2oongaC9ing6iGheeg8chei1ogheighieghie1Apode3shibai5eit8oa5shahDaic0shishie0ies7Aijee5ohk1aetha1Quieyafu2oa0Ahwee3mu9tae4AebeiveeFiewohj== user1@host2

The lines will wrap in most editors, so it won’t look quite like the above when viewed; but there is only one line per key. Each line takes the form 

[options] key-type public-key comment

The important part in this is the middle section which is the base64-encoded public key. Any user with a matching private key will be allowed on the server.

The key-type is usually ssh-rsa nowadays, but you can expect to see other types become more popular in the future (such as ssh-ed255519). This depends on the options given when the key was generated.

The comment is only there to help people identify the keys, so that once in a while someone can go through the list of authorized keys and make sensible decisions about whether to keep a key or not (disabling a key is as easy as commenting the line out with a # at the start of the file). Typically the comment is the username and hostname corresponding to the generated key (/i.e./ your username when you ran ssh-keygen and the hostname of the client computer).

The optional options (there aren’t any in the example above) allow you to control what the users are allowed to do on the server, and/or to constrain the keys (requiring them to be signed by a specific certificate authority for example). For details, see the sshd manpage (search for “AUTHORIZED_KEYS FILE FORMAT”).

Related Question