Standard SSH configurations only check ~/.ssh/authorized_keys for public keys during authentication. This becomes limiting when you need to:
- Separate user-managed keys from system-generated keys
- Automate key deployment without modifying the main file
- Maintain different permission levels for keys
The AuthorizedKeysFile option in sshd_config lets you specify multiple files:
# In /etc/ssh/sshd_config AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys_generated
Here's how to set this up properly:
# 1. Create additional key file touch ~/.ssh/authorized_keys_generated chmod 600 ~/.ssh/authorized_keys_generated # 2. Configure SSHD (requires root) sudo nano /etc/ssh/sshd_config
Add or modify the line:
AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_generated
Then restart sshd:
sudo systemctl restart sshd
For more complex scenarios:
# Directory-based key files AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/keys.d/%u # Network location example AuthorizedKeysFile .ssh/authorized_keys /mnt/nfs/ssh-keys/%u
- All specified files must have strict permissions (600)
- Filesystem locations must be secure from unauthorized writes
- Consider using
AuthorizedKeysCommandfor dynamic solutions
# Check sshd config syntax sudo sshd -t # Verbose logging for authentication sudo tail -f /var/log/auth.log
The standard SSH authentication mechanism checks keys in ~/.ssh/authorized_keys. Many system administrators need to manage keys from multiple sources while maintaining separation between manually managed keys and automatically generated ones.
Modern OpenSSH versions support the AuthorizedKeysFile directive in /etc/ssh/sshd_config:
# Allows multiple authorized_keys files AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys_generated # Alternative absolute path example: # AuthorizedKeysFile /home/%u/.ssh/authorized_keys /etc/ssh/keys/%u
This tells sshd to check both files in order during authentication.
Both files must have strict permissions:
chmod 600 ~/.ssh/authorized_keys* chmod 700 ~/.ssh
For more complex scenarios, you can use includes in your main authorized_keys file:
# ~/.ssh/authorized_keys include authorized_keys_generated
For multi-user systems, consider this centralized approach:
# /etc/ssh/sshd_config AuthorizedKeysFile /etc/ssh/authorized_keys/%u /etc/ssh/authorized_keys/%u_generated # Then create corresponding directories: mkdir -p /etc/ssh/authorized_keys
After configuration changes:
# Systemd systems: sudo systemctl restart sshd # Traditional init systems: sudo service ssh restart
Test with verbose SSH output:
ssh -v user@host
Check server logs for debugging:
sudo tail -f /var/log/auth.log # or on RHEL/CentOS: sudo tail -f /var/log/secure