SSH Key Auth Explained: authorized_keys vs. authorized_keys2 – Legacy Compatibility & Modern Best Practices


2 views

Back in early OpenSSH versions (pre-6.7), authorized_keys2 existed as a separate file to handle SSH protocol version 2 keys, while authorized_keys handled version 1. Here's what you'd typically find in each:

# ~/.ssh/authorized_keys (SSHv1 format)
1024 37 169143219... user@host

# ~/.ssh/authorized_keys2 (SSHv2 format)
ssh-rsa AAAAB3Nz... user@host

Since OpenSSH 6.7 (released in 2014):

  • authorized_keys2 is deprecated
  • All keys now go in ~/.ssh/authorized_keys
  • The file handles both key formats automatically

Modern authorized_keys entries support enhanced features:

# Restrict command execution
command="/usr/bin/rbash" ssh-rsa AAAA... user@host

# Set environment variables
environment="PATH=/usr/local/bin" ssh-ed25519 AAAA... user@host

# Port forwarding restrictions
no-port-forwarding,no-X11-forwarding ssh-rsa AAAA... admin@host

If you find an old authorized_keys2, merge it safely:

cat ~/.ssh/authorized_keys2 >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
rm ~/.ssh/authorized_keys2
  1. Use only authorized_keys
  2. Prefer Ed25519 keys over RSA where possible
  3. Always set strict permissions: 
    chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

In early SSH implementations (OpenSSH before version 3.0), both authorized_keys and authorized_keys2 files existed to handle different key formats:

# Example of traditional authorized_keys format
ssh-rsa AAAAB3NzaC1yc2E... user@host

# Example of (now deprecated) authorized_keys2 format
keytype base64-data comment

The primary distinction was that:

  • authorized_keys stored keys in SSH protocol 1 format (RSA1)
  • authorized_keys2 handled SSH protocol 2 keys (DSA/RSA)

Since OpenSSH 3.0 (released in 2001), authorized_keys2 has been deprecated. Modern systems should:

  1. Use only ~/.ssh/authorized_keys
  2. Configure sshd_config with:
Protocol 2
AuthorizedKeysFile .ssh/authorized_keys

If you encounter legacy systems with both files, merge them with:

cat ~/.ssh/authorized_keys2 >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Modern SSH implementations provide better security through:

# Example of modern authorized_keys entry with restrictions:
restrict,command="/usr/bin/rrsync" ssh-rsa AAAAB3NzaC... backup-user

Always verify file permissions:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys