Copy ssh key onto another machine so I can use GitHub there?

I have a remote server. I can already ssh successfully onto that remote server - my key is in authorized_keys on the remote server.

Now I want to pull from GitHub directly onto that remote server. But I'm getting permission denied (publickey) when I try ssh -T git@github.com on the remote server.

Should I copy id_rsa.pub directly from my local machine onto the remote server, or is that dangerous?

If this is the answer, what's the best way to do it?

Or should I generate a new public key on the remote server, and add that to my github acocount?

UPDATE:

Here's the output from a verbose ssh:

~$ ssh -Tv git@github.com
OpenSSH_6.0p1 Debian-4+deb7u2, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to github.com [192.30.252.131] port 22.
debug1: Connection established.
debug1: identity file /home/richard/.ssh/id_rsa type -1
debug1: identity file /home/richard/.ssh/id_rsa-cert type -1
debug1: identity file /home/richard/.ssh/id_dsa type -1
debug1: identity file /home/richard/.ssh/id_dsa-cert type -1
debug1: identity file /home/richard/.ssh/id_ecdsa type -1
debug1: identity file /home/richard/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version libssh-0.6.0
debug1: no match: libssh-0.6.0
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in /home/richard/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/richard/.ssh/id_rsa
debug1: Trying private key: /home/richard/.ssh/id_dsa
debug1: Trying private key: /home/richard/.ssh/id_ecdsa
debug1: No more authentication

Richard

Posted 2015-04-22T10:47:23.690

Reputation: 419

I've just tried setting up ssh agent forwarding, using my server's IP address: https://developer.github.com/guides/using-ssh-agent-forwarding/ But I'm still getting Permission denied (publickey) on the remote machine.

– Richard – 2015-04-22T10:50:24.920

1there's a verbose option on the ssh command, I think that might tell you which key files it's actually trying, it has helped me a few times. – Allman – 2015-04-22T11:04:05.437

Answers

the id_rsa.pub can be copied anywhere without any real danger to it. This is your public key, and is meant for things like this. It is one half of a keypair, and sharing it with places you want access to is how you allow the private key to function.

To allow for remote login, your public key needs to be listed in authorized_keys (authorized_keys2 on some systems). One key on each line, in this format:

ssh-rsa AAAIHAVEREMOVEDTHEMAJORITYOFTHEKEYBECAUSEISEENONEEDTOPOSTTHATWALLOFTEXTHERE9yfRjxw== jarmund@jarmint

To achieve this, once you've copied it over, just append it to the authorized_keys file like this: cat id_rsa.pub >> ~/.ssh/authorized_keys

Most sane systems will cowardly refuse to allow you to use key-based login if the .ssh folder has permissions that are too loose. The folder should be 700, so if you're still having problems: chmod 700 ~/.ssh

In addition, files in the .ssh folder should be 600: chmod 600 ~/.ssh

Edit 1:

The file itself, id_rsa.pub is not required itself on the remote server. Only the contents, as part of authorized_keys. I recommend running ssh -vT git@github.com to enable verbose logging, so that you can see exactly what permissions it complains about.

Edit 2:

This means that none of the keys offered matched what the remote server has on file. What you want to be seeing is something like this:

debug1: Offering RSA public key: /home/jarmund/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 535

Things to check:

Ensure that one of the private keys is the one that matches the public key that you added to the remote authorized_keys
Ensure that the key matches the username you're trying to log in with (should be the last part of the public key)
Try rename authorized_keys to authorized_keys2

Jarmund

Posted 2015-04-22T10:47:23.690

Reputation: 5 155

Thanks. My public key is listed in ~/.ssh/authorized_keys on the remote server - I've added it using cat ~/.ssh/id_rsa.pub | ssh me@server "cat >> ~/.ssh/authorized_keys". Then sshed to the remote and ran ~$ chmod 700 ~/.ssh and $ chmod 600 ~/.ssh/authorized_keys but still get Permission denied (publickey) when I try to ssh to github. Should I copy the whole id_rsa.pub file across to the remote machine too? – Richard – 2015-04-22T11:27:54.930

@Richard You do not need the file itself there, no. Although I like to keep it in the .ssh folder just in case I need it. But it's not required, it's just something I do. I would recommend running the ssh command described in your question with the -v switch to see exactly which permissions ssh is complaining about. – Jarmund – 2015-04-22T11:29:37.047

Thanks for edit 2. I'm not sure how to do the first bullet point - check that one of the private keys... - what should I do here? – Richard – 2015-04-22T11:39:37.550

On point 2, do you mean the key should match my GitHub username? It doesn't look anything like it :) – Richard – 2015-04-22T11:41:30.823

The thing is I can use this same public key to ssh to and pull from GitHub from my local machine just fine, so GitHub must think it's okay...? – Richard – 2015-04-22T11:42:42.880

I wouldn't know, as I don't use github, so I do not know the username system there. But if I was a gambling man, I'd say this might be the source of the issue. Try editing the username in authorized_keys to see if it helps. To verify a keypair: ssh-keygen -y -e -f <private key> and make sure the output corresponds to the contents in your public key. – Jarmund – 2015-04-22T11:45:06.233

Thanks. There's no private key on the remote server. Should there be? – Richard – 2015-04-22T11:48:59.280

There shouldn't be. The private key should only be on your own machine. – Jarmund – 2015-04-22T11:53:15.817

Ah I see. I ran ssh-keygen -y -e -f ~/.ssh/id_rsa locally and that seemed to match my public key, yes. – Richard – 2015-04-22T12:05:03.383

debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/richard/.ssh/id_rsa
debug1: Trying private key: /home/richard/.ssh/id_dsa
debug1: Trying private key: /home/richard/.ssh/id_ecdsa
debug1: No more authentication

According to you debug trace, none of these key files actually exist on the local system, and ssh didn't actually offer any keys to the remote server. Make sure the key you want to use actually exists on the host where you're running ssh, and that the file has the right name. If you want to use a key file other than one of the default files, you have to specify it on the ssh command line:

ssh -i /path/to/some_key -Tv git@github.com

Kenster

Posted 2015-04-22T10:47:23.690

Reputation: 5 474

The key file doesn't exist on the remote server from which I am trying to ssh to github, but it's in authorized_keys. Is this enough or do I need to copy the key file across there too? – Richard – 2015-04-23T20:32:10.863

1authorized_keys is for public keys that will be accepted for incoming connections. You need a copy of the private key file to make an outgoing connection to another host. So yes, one of those key files (id_rsa, etc.) has to be present on the host where you're running ssh. – Kenster – 2015-04-23T21:53:36.960

The -i flag helped me to solve a problem! I copied the ssh folder to another computer and was trying to use remote git, but was rejected. The -i saved the day! – pauljohn32 – 2017-04-22T18:17:58.017

The server needs your private key to authenticate to Github. Your public key, as its name suggests, is considered public so it can't be enough to authenticate.

If you do not need to use Github on the remote server without having connected through ssh, you should use ssh-agent forwarding. A guide for that is available on Github : https://developer.github.com/guides/using-ssh-agent-forwarding/.

Otherwise, you should generate a new key and link it to your account.

user2313067

Posted 2015-04-22T10:47:23.690

Reputation: 2 160

You can directly put the command.

$ cat ~/.ssh/id_rsa.pub

if you have ssh key already present then it will show it. Otherwise it gives error. You need to add new key.

Gauravsingh Patil

Posted 2015-04-22T10:47:23.690

Reputation: 1