Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- HostKey vs. AuthorizedKeysFile
March 26, 2012, 10:30 am
rate this thread
I'm trying to configure SSH on a server.
I changed these lines in the server's /etc/ssh/sshd_config:
(authorized_keys is the same as id_rsa.pub on my machine.)
I connect to the server with this command:
ssh -i ~/.ssh/id_rsa <server's ip>
But it outputs the fingerprint of the server's HostKey (which is
located at /etc/ssh/ssh_host_rsa_key), not the AuthorizedKeysFile
What should I do to make it work?
Will it be enough to comment the HostKey lines in
/etc/ssh/sshd_config? Is it safe?
What else should be done to restrict unauthorized access?
This guide  recommends to change ListenAddress to 192.168.0.1 and
Port to 666. (I want to use another port (and another address). Does
it matter? 666 is used by Doom. )
Will it work "out of the box" if I change these? Is there a need for a
system level tweaking (firewall etc.)?
I'm new to networking. Could you explain what does "Port" and "Listen"
mean in this case?
(Yes, I've read some papers about ports, but I want to understand this
How to use SSH with a non-standard port? Will it be something like
this: ssh -i ~/.ssh/id_rsa <server's ip>:<new port number>?
Is there a need for a username@ prefix before the server's ip (I
changed PermitRootLogin to no)?
- Dag-Erling SmÃ¸rgrav
March 27, 2012, 11:16 am
Re: HostKey vs. AuthorizedKeysFile
This is actually the default, except for the typo (missing "o")
By this, I assume you mean that "the contents of ~/.ssh/authorized_keys
on the server are identical to those of ~/.ssh/id_rsa.pub on the
The "-i ~/.ssh/id_rsa" part is unnecessary.
These files are completely unrelated. The host key that is shown when
you log in identifies the server. You only need to verify and accept it
once; you will not be asked again unless it changes.
The Listen option specifies which IP address SSH should listen on. The
default is to listen on all of the server's IP addresses; in most cases,
this means its public IP address + localhost (127.0.0.1 and / or ::1).
The Port option specifies which TCP port (out of 65,535 possible) it
should listen on. The default is 22.
Yes, although the "-i ~/.ssh/id_rsa" part is unnecessary. You can also
set the port in your ~/.ssh/config:
in which case ssh will always use port 443 instead of 22 when connecting
to ssh.example.com, unless you explicitly specify a different port. You
can also use this file to create aliases; for instance, this will allow
you to type "ssh sshex" instead of "ssh ssh.example.com:443":
Only if the username you are logging in as on the server is not the same
as your username on the client. You can also specify a username in
~/.ssh/config; for instance, with the following:
the command "ssh sshex" becomes equivalent to the command "ssh
Dag-Erling Smørgrav - email@example.com
- Dag-Erling SmÃ¸rgrav
March 27, 2012, 11:19 am
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — Newest thread in » Secure Shell Forum