copy ssh private keys to another computer
I need to use another computer to access my ssh server. This is because a recently implemented vpn at my university doesn't work on my current computer and I have lost access to the server.
I ssh via encrypted ssh keys. Can I copy these keys to the new computer (on which the vpn works). I tried copying the id_rsa and id_rsa.pub files in the ~/.ssh folder but it doesn't recognize the keys and there is no prompt to input a password to decrypt the keys.
EDIT: I can't access the server to generate a new key pair for the new computer and am out of the country so can't physically access it.
Thanks.
63 Answers
Check the permissions and ownership of your private key file. From the manual,
These files contain sensitive data and should be readable by the user but not accessible by others (read/write/execute). ssh will simply ignore a private key file if it is accessible by others.
Typically the key files should look like this,
$ ls -l ~/.ssh/id_rsa*
-rw------- 1 benj benj 1766 Jun 22 2011 .ssh/id_rsa
-rw-r--r-- 1 benj benj 388 Jun 22 2011 .ssh/id_rsa.pubwhich you can enforce via:
$ chown benj:benj ~/.ssh/id_rsa*
$ chmod 600 ~/.ssh/id_rsa
$ chmod 644 ~/.ssh/id_rsa.pubTry running ssh-add before you SSH into the server - you should then be prompted for the password and then subsequent ssh connects can use your private key.
The ssh-add command adds the keys to the key agent.
Encrypted private keys hold their corresponding public key unencrypted. This is how the SSH client can connect to the remote server without asking you the password (it only offers the public part at that point). Whenever the server accepts the public key, the client on your PC wants to decrypt the private key and will ask you for the passphrase.
Now, whenever the server only accepts connection from a specific IP address, this is declined already in the first step and explains the message you got from the server "Roaming not allowed by server".
So, my best guess is that your server is restricted in some way to allow only specific IP addresses for this key. You can do this in several ways, but this is a common one in ~/.ssh/authorized_keys:
from="192.168.1.2" ssh-rsa AAAAB3NzaC[...]To prove that you can read the public key out of an encrypted private key without password, run:
ssh-keygen -y -f /path/to/private/key
