HostKey vs. AuthorizedKeysFile

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I'm trying to configure SSH on a server.

I changed these lines in the server's /etc/ssh/sshd_config:
PermitRootLogin no
AuthorizedKeysFile %h/.ssh/authrized_keys

(authorized_keys is the same as on my machine.)

I connect to the server with this command:
ssh -i ~/.ssh/id_rsa <server's ip>

But it outputs the fingerprint of the server's HostKey (which is
located at /etc/ssh/ssh_host_rsa_key), not the AuthorizedKeysFile

What should I do to make it work?
Will it be enough to comment the HostKey lines in
/etc/ssh/sshd_config? Is it safe?

What else should be done to restrict unauthorized access?
This guide [1] recommends to change ListenAddress to and
Port to 666. (I want to use another port (and another address). Does
it matter? 666 is used by Doom. [2])
Will it work "out of the box" if I change these? Is there a need for a
system level tweaking (firewall etc.)?
I'm new to networking. Could you explain what does "Port" and "Listen"
mean in this case?
(Yes, I've read some papers about ports, but I want to understand this
concept completely.)
How to use SSH with a non-standard port? Will it be something like
this: ssh -i ~/.ssh/id_rsa <server's ip>:<new port number>?
Is there a need for a username@ prefix before the server's ip (I
changed PermitRootLogin to no)?



Re: HostKey vs. AuthorizedKeysFile

Quoted text here. Click to load it

This is actually the default, except for the typo (missing "o")

Quoted text here. Click to load it

By this, I assume you mean that "the contents of ~/.ssh/authorized_keys
on the server are identical to those of ~/.ssh/ on the

Quoted text here. Click to load it

The "-i ~/.ssh/id_rsa" part is unnecessary.

Quoted text here. Click to load it

These files are completely unrelated.  The host key that is shown when
you log in identifies the server.  You only need to verify and accept it
once; you will not be asked again unless it changes.

Quoted text here. Click to load it

The Listen option specifies which IP address SSH should listen on.  The
default is to listen on all of the server's IP addresses; in most cases,
this means its public IP address + localhost ( and / or ::1).

The Port option specifies which TCP port (out of 65,535 possible) it
should listen on.  The default is 22.

Quoted text here. Click to load it

Yes, although the "-i ~/.ssh/id_rsa" part is unnecessary.  You can also
set the port in your ~/.ssh/config:

  Port 443

in which case ssh will always use port 443 instead of 22 when connecting
to, unless you explicitly specify a different port.  You
can also use this file to create aliases; for instance, this will allow
you to type "ssh sshex" instead of "ssh":

Host sshex
  Port 443

Quoted text here. Click to load it

Only if the username you are logging in as on the server is not the same
as your username on the client.  You can also specify a username in
~/.ssh/config; for instance, with the following:

Host sshex
  Port 443
  User otheruser

the command "ssh sshex" becomes equivalent to the command "ssh"

Dag-Erling Smørgrav -

Re: HostKey vs. AuthorizedKeysFile

BTW, if you're completely new to OpenSSH, you may want to read this:

Dag-Erling Smørgrav -

Site Timeline