> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-7/ssh/key-based-authentication/trick-0339.md).

# Lateral Movement via SSH Key

***

First, check standard locations for SSH private keys, typically within a user's home directory under `.ssh/`. A common filename is `id_rsa`. By default, the keys are generated in the `~/.ssh/` directory with the private key saved as `id_rsa`.

```bash
cat /home/user/.ssh/id_rsa
```

Copy the content of the private key file. Save it locally (e.g., as `id_rsa`). Before using it, ensure its permissions are set correctly on your attacking machine. For a private key file, the recommended permission is `600`.

```bash
chmod 600 id_rsa
```

Permissions `0600` (`rw-------`) means the owner has read and write permissions, but nobody else can access the file. If permissions are too open, such as `0644`, it means the owner has read and write permissions, while the group and others only have read permissions. This is considered too open for a private key file, as it allows others to read the sensitive key data.

Now, use the saved private key file with the `ssh -i` flag to attempt authentication as the user the key belongs to.

```bash
ssh -i id_rsa user@target_host
```
