Back to Commands

authorized_keys

networkingLinux/Unix
The authorized_keys command is one of the most frequently used commands in Linux/Unix-like operating systems. authorized_keys The ~/.ssh/authorized_keys file is a configuration file that specifies which SSH public keys are allowed to log into a user's account without a password. Each line of the file contains one public key, and the file is used by the SSH server to authenticate users via public key authentication.
See ExamplesView Syntax

Quick Reference

Command Name:

authorized_keys

Category:

networking

Platform:

Linux/Unix

Basic Usage:

authorized_keys [options] [arguments]

Common Use Cases

    Syntax

    Located at: ~/.ssh/authorized_keys

    Options

    Option Description
    command="command" Forces a specific command to be executed when this key is used for authentication
    from="pattern-list" Restricts logins with this key to come from specified host names or IP addresses
    no-port-forwarding Prevents TCP port forwarding when authenticated with this key
    no-agent-forwarding Disables authentication agent forwarding for this key
    no-X11-forwarding Prevents X11 forwarding when authenticated with this key
    no-pty Prevents allocation of a pseudo-terminal when authenticating with this key
    no-user-rc Prevents execution of ~/.ssh/rc by ssh when authenticating with this key
    permitopen="host:port" Restricts port forwarding to specified destination only
    environment="NAME=value" Sets environment variables when this key is used for login

    Examples

    How to Use These Examples

    The examples below show common ways to use the authorized_keys command. Try them in your terminal to see the results. You can copy any example by clicking on the code block.

    #

    Basic Structure:

    ssh-rsa AAAAB3NzaC1yc2EAAAADAQ... user@hostname

    A standard entry contains a public key (typically RSA, DSA, ECDSA, or Ed25519) and an optional comment.

    With Options:

    command="only-this-command",from="trusted-host.example.com" ssh-rsa AAAAB3NzaC1yc2EAAAADAQ... restricted-access

    You can prefix keys with options to restrict access or force specific commands.

    Adding a Key Manually:

    echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQ... user@hostname" >> ~/.ssh/authorized_keys

    Manually append a public key to the authorized_keys file.

    Setting Permissions:

    chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

    Set the proper restrictive permissions for the .ssh directory and authorized_keys file.

    Using ssh-copy-id:

    ssh-copy-id -i ~/.ssh/id_rsa.pub user@remote-host

    A safer way to add your key to a remote host's authorized_keys file.

    Restricting to Specific Commands:

    command="rsync --server -logDtprze.iLsfx . /backup/" ssh-rsa AAAAB3NzaC1yc2EAAAADAQ... backup-only

    Restrict the key to only execute a specific command when used for login.

    Restricting Source IP Addresses:

    from="192.168.1.0/24,10.0.0.1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQ... network-restricted

    Only allow connections from specific IP addresses or networks.

    Multiple Restrictions:

    no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="internal-sftp" ssh-rsa AAAAB3NzaC1yc2EAAAADAQ... sftp-only

    Combine multiple restrictions to tightly control access.

    Try It Yourself

    Practice makes perfect! The best way to learn is by trying these examples on your own system with real files.

    Understanding Syntax

    Pay attention to the syntax coloring: commands, options, and file paths are highlighted differently.

    Notes

    File Purpose and Function:

    • The authorized_keys file is a security mechanism that allows passwordless SSH access to a server
    • It contains a list of public keys that are allowed to authenticate without a password
    • Each user on a system has their own authorized_keys file in their ~/.ssh/ directory
    • The SSH server (sshd) checks this file during login attempts using public key authentication
    • If a connecting client's key matches an entry in this file, access is granted without a password

    Security Considerations:

    • File Permissions: The authorized_keys file should have 600 permissions (owner read/write only)
    • Directory Permissions: The ~/.ssh directory should have 700 permissions (owner read/write/execute only)
    • Home Directory: Some SSH server configurations require the user's home directory to not be writable by other users
    • Regular Auditing: Regularly review the authorized_keys file to remove unused or unauthorized keys
    • Key Restrictions: Consider using the options feature to limit what each key can do
    • Server Configuration: Ensure that PubkeyAuthentication is enabled in /etc/ssh/sshd_config

    Key Management Best Practices:

    • Use descriptive comments at the end of each key to identify its owner and purpose
    • Implement a process for adding and revoking keys when employees join or leave
    • Consider using a configuration management tool (like Ansible, Puppet, or Chef) to manage keys at scale
    • Rotate keys periodically for critical systems
    • Keep private keys secure with strong passphrases and proper file permissions
    • Consider using SSH certificates instead of authorized_keys for large deployments

    Troubleshooting:

    • Permission Denied Errors: Check file permissions on both ~/.ssh/ and ~/.ssh/authorized_keys
    • Log Files: Check /var/log/auth.log or /var/log/secure for SSH connection issues
    • Debug Mode: Run SSH with -v, -vv, or -vvv for increasing levels of verbosity to diagnose issues
    • Key Format: Ensure the public key is in the correct format without line breaks or corruption
    • Server Configuration: Verify that public key authentication is enabled in sshd_config
    • SELinux/AppArmor: Security modules might prevent access to authorized_keys files

    Common Use Cases:

    • Automated Backups: Allow backup scripts to connect without passwords
    • Secure File Transfers: Enable passwordless SFTP or SCP for file transfers
    • CI/CD Pipelines: Allow deployment systems to connect to servers
    • System Administration: Enable administrators to access multiple systems without typing passwords
    • Restricted Access: Provide limited access to certain users by restricting what their keys can do
    • Jump Hosts: Configure bastion hosts that allow access to internal networks

    Related Files and Commands:

    • ~/.ssh/id_rsa.pub - The public key file generated by ssh-keygen
    • ~/.ssh/id_rsa - The corresponding private key (keep this secure!)
    • ~/.ssh/config - Client configuration file for SSH connections
    • /etc/ssh/sshd_config - Server configuration for the SSH daemon
    • ssh-copy-id - Command to install your public key in a remote machine's authorized_keys
    • ssh-keygen - Command to generate SSH key pairs

    Related Commands

    ssh

    ssh

    View command

    ssh-keygen

    ssh-keygen

    View command

    ssh-copy-id

    ssh-copy-id

    View command

    ssh-agent

    ssh-agent

    View command

    ssh-add

    ssh-add

    View command

    scp

    scp

    View command

    sftp

    sftp

    View command

    Learn By Doing

    The best way to learn Linux commands is by practicing. Try out these examples in your terminal to build muscle memory and understand how the authorized_keys command works in different scenarios.

    See ExamplesTry Lab Exercises
    $ authorized_keys
    View All Commands