posts

Aug 20, 2020

Identify and specify Identity File used by SSH

Estimated Reading Time: 3 minutes (536 words)

Recently, I have been looking into improving our access management to our EC2 instances in Naluri and came across EC2 Instance Connect features. While experementing with it, I have learn a thing or two about ssh.

In this post, we are going to cover the following topics:

Which private keys ssh is using?

When I was experimenting with EC2 Instance Connect, I try to ssh with private key that is supposed to be expired, however, I can still successfully ssh into the application server. This seem weird. So I’ll need to find out which private key that ssh used to allow me to access the server. After some google search, I found the answer here, which is:

ssh -v user@ip_address

After running the above you’ll see additional logs on what ssh go through before connecting to the remote server, which looks like this:

OpenSSH_7.9p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/kai/.ssh/config
...
debug1: Authenticating to <ip_address>:<port> as '<user>'
...
debug1: Will attempt key: /Users/kai/.ssh/id_rsa RSA SHA256:LJnPQHkVlt+cqWslxTzObpDezpdjgIKdfh8qa7u4ftM agent
debug1: Will attempt key:  RSA SHA256:klrkbMg/32KGGbqW2GCEeWIx4MQ4aYJZonF0XIexVlI agent
debug1: Will attempt key: [email protected] RSA SHA256:utKcZ1r14VeHKyagE7IdqKOkZ+fWVVtk05zpl/K+tQQ agent
...
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/kai/.ssh/id_rsa RSA SHA256:LJnPQHkVlt+cqWslxTzObpDezpdjgIKdfh8qa7u4ftM agent
debug1: Server accepts key: /Users/kai/.ssh/id_rsa RSA SHA256:LJnPQHkVlt+cqWslxTzObpDezpdjgIKdfh8qa7u4ftM agent
debug1: Authentication succeeded (publickey).
Authenticated to <ip_address> (via proxy).
...

Among these logs the most relevant one are these two lines:

debug1: Offering public key: /Users/kai/.ssh/id_rsa RSA SHA256:LJnPQHkVlt+cqWslxTzObpDezpdjgIKdfh8qa7u4ftM agent
debug1: Server accepts key: /Users/kai/.ssh/id_rsa RSA SHA256:LJnPQHkVlt+cqWslxTzObpDezpdjgIKdfh8qa7u4ftM agent

Here, the logs specified the fingerprint of public key ssh used that authenticated by the remote server. To identify which key pair is used, we’ll need to get the fingerprint of each key pair we have. We can use ssh-keygen to achieve that:

ssh-keygen -lf ~/.ssh/id_rsa.pub
#=> 2048 SHA256:LJnPQHkVlt+cqWslxTzObpDezpdjgIKdfh8qa7u4ftM [email protected] (RSA)

If the fingerprint match (as in this case), than you got it. You know that is the key pair that successfully get accepted by the remote server. However, if it doesn’t match, try to get the fingerprint of other ssh key pair you have used before.

How to use only specific keys when ssh

I wanted to test out if I could still ssh in to the remote server after my SSH key is expired my EC2 Instance Connect. However, if I just use:

# my_rsa_key is expired by now
ssh -i my_rsa_key user@ip_address

I would always successfully ssh into the remote server (since I have another public key placed in the server) . So in order to prevent ssh to attempt other public key that might be accepted the remote server, we need to tell ssh to only use the identity file we provide, which can be done like this:

# Note that I am passing private key file
ssh -o IdentitiesOnly=yes -i my_rsa_key user@ip_address

With this, ssh will only attempt to use the identity file you provided in the command. However, do note that if the file does not exist, ssh will still attempt to use all the identity files you have.

Wrap Up

Here, I am just sharing another new things I learn from the internet . Hope it helps!