June 22, 2012

Beginner

How To Set Up SSH Keys

Tagged In: Linux Basics, Security

About SSH Keys


SSH keys provide a more secure way of logging into a virtual private server with SSH than using a password alone. While a password can eventually be cracked with a brute force attack, SSH keys are nearly impossible to decipher by brute force alone. Generating a key pair provides you with two long string of characters: a public and a private key. You can place the public key on any server, and then unlock it by connecting to it with a client that already has the private key. When the two match up, the system unlocks without the need for a password. You can increase security even more by protecting the private key with a passphrase.

Step One—Create the RSA Key Pair


The first step is to create the key pair on the client machine (there is a good chance that this will just be your computer):
ssh-keygen -t rsa

Step Two—Store the Keys and Passphrase


Once you have entered the Gen Key command, you will get a few more questions:
Enter file in which to save the key (/home/demo/.ssh/id_rsa):

You can press enter here, saving the file to the user home (in this case, my example user is called demo).
Enter passphrase (empty for no passphrase):

It's up to you whether you want to use a passphrase.

Entering a passphrase does have its benefits: the security of a key, no matter how encrypted, still depends on the fact that it is not visible to anyone else. Should a passphrase-protected private key fall into an unauthorized users possession, they will be unable to log in to its associated accounts until they figure out the passphrase, buying the hacked user some extra time. The only downside, of course, to having a passphrase, is then having to type it in each time you use the Key Pair.

The entire key generation process looks like this:
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/demo/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/demo/.ssh/id_rsa.
Your public key has been saved in /home/demo/.ssh/id_rsa.pub.
The key fingerprint is:
4a:dd:0a:c6:35:4e:3f:ed:27:38:8c:74:44:4d:93:67 demo@a
The key's randomart image is:
+--[ RSA 2048]----+
|          .oo.   |
|         .  o.E  |
|        + .  o   |
|     . = = .     |
|      = S = .    |
|     o + = +     |
|      . o + o .  |
|           . o   |
|                 |
+-----------------+

The public key is now located in /home/demo/.ssh/id_rsa.pub

The private key (identification) is now located in /home/demo/.ssh/id_rsa

Step Three—Copy the Public Key


Once the key pair is generated, it's time to place the public key on the virtual server that we want to use.

You can copy the public key into the new machine's authorized_keys file with the ssh-copy-id command. Make sure to replace the example username and IP address below.
ssh-copy-id [email protected]

Alternatively, you can paste in the keys using SSH:
cat ~/.ssh/id_rsa.pub | ssh [email protected] "cat >> ~/.ssh/authorized_keys"

No matter which command you chose, you should see something like:
The authenticity of host '12.34.56.78 (12.34.56.78)' can't be established.
RSA key fingerprint is b1:2d:33:67:ce:35:4d:5f:f3:a8:cd:c0:c4:48:86:12.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '12.34.56.78' (RSA) to the list of known hosts.
[email protected]'s password: 
Now try logging into the machine, with "ssh '[email protected]'", and check in:

  ~/.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

Now you can go ahead and log into [email protected] and you will not be prompted for a password. However, if you set a passphrase, you will be asked to enter the passphrase at that time (and whenever else you log in in the future).

Optional Step Four—Disable the Password for Root Login

Once you have copied your SSH keys unto your server and ensured that you can log in with the SSH keys alone, you can go ahead and restrict the root login to only be permitted via SSH keys.

In order to do this, open up the SSH config file:
sudo nano /etc/ssh/sshd_config

Within that file, find the line that includes PermitRootLogin and modify it to ensure that users can only connect with their SSH key:
PermitRootLogin without-password

Put the changes into effect:
reload ssh

Digital Ocean Addendum


The Digital Ocean control allows you to add public keys to your new droplets when they're created. You can generate the SSH Key in a convenient location, such as the computer, and then upload the public key to the SSH key section.

Then, when you create a new VPS, you can choose to include that public key on the server. No root password will be emailed to you and you can log in to your new virtual private server from your chosen client. If you created a passphrase, you will be prompted to enter that upon login.



By Etel Sverdlov

Share this Tutorial

Vote on Hacker News

Try this tutorial on an SSD cloud server.

Includes 512MB RAM, 20GB SSD Disk, and 1TB Transfer for $5/mo! Learn more

Create an account or login:

103 Comments

Write Tutorial
  • Gravatar Matt West over 1 year

    If you don't have ssh-copy-id you can use the following command: cat ~/.ssh/id_rsa.pub | ssh user@machine "cat >> ~/.ssh/authorized_keys"

  • Gravatar Moisey over 1 year

    Hey Matt, Great suggestion, we'll update the article with that.

  • Gravatar jasonlee4848 over 1 year

    Dear Digital Ocean. You guys make the best tutorials. Thank you so much.

  • Gravatar Arjan Dasselaar over 1 year

    Great article, but what if your client is a Windows box and you've generated your public key with Puttygen, then need to transfer it to your VPS? Is there any way to copy-paste the public key, for example using nano? I'd rather not create a completely new server using the 'Addendum' method.

  • Gravatar Moisey over 1 year

    If you are copying the key over to a server you can certainly SSH and in and use nano/vi or any other editor and copy and paste it in. Just make sure that the formatting is preserved and no new line characters are added. If I misunderstood the question let me know.

  • Gravatar Arjan Dasselaar over 1 year

    Wow, thanks for the quick reply on a Sunday night :-) I tried that and must have made a mistake as I couldn't get it to work. I had created a way too large DSA key anyway. Since I'm trying to learn anyway, I've decided to recreate a droplet from scratch and get this down before I proceed. I'll try integrating the SSH key through your 'addendum' method next time. I'm assuming I can just copy-paste the entire key, or do I have to omit lines like '---- BEGIN SSH2 PUBLIC KEY ---- Comment: "rsa-key-20130121"?

  • Gravatar Moisey over 1 year

    I think you may be looking at the wrong file possibly, because when the key is created the public one that you should be sharing doesn't have any comments, so you can copy and paste it directly. Please make sure that you are copying and pasting from the file that ends in ".pub"

  • Gravatar Arjan Dasselaar over 1 year

    I'm pretty sure I had the correct file, but to make sure I've put an exact copy/paste on Pastebin: http://pastebin.com/Hzi30uMM Apparently puttygen adds lines Linux doesn't?

  • Gravatar Moisey over 1 year

    On Linux you would get : ssh-dss AAAAB3NzaC1yc2EAAAABJQAAAQEAgj.... user@host That should all be on one-line, the ssh-dss portion is because the key was created with dsa instead of rsa. But thats what it should look like and you should paste it in on one line.

  • Gravatar Arjan Dasselaar over 1 year

    Right. Just to make sure I've got everything down correctly: if my username were ocean and my IP were 185.14.185.149, and my key were in ssh2-rsa the correct format would be: ssh-rsa [key with all line breaks removed] [email protected] Which I can then add to the Digital Ocean control panel and will be integrated in any future droplets I create. Correct? Thanks!

  • Gravatar Moisey over 1 year

    When you create the key it will be created with your username@host the key was created on, it's not related to the user / IP you are sshing to. It's also optional and not necessary to be included.

  • Gravatar Arjan Dasselaar over 1 year

    Thanks for the clarification; puttygen does not add username@host data so I was under the impression I would have to manually add it. I'll leave it out then.

  • Gravatar bonan about 1 year

    If you open the private key with puttygen, there's a box with the public key in openssh format http://i.imgur.com/1Cv0kmu.png Copy and paste that into ~/.ssh/authorized_keys

  • Gravatar cvasco about 1 year

    Do the usernames on the client and server have to match? Or are there restrictions on logging into root@server from non-root@client?

  • Gravatar Joel Acevedo about 1 year

    I cannot finish step 3. I get blah blah blah port 22: Connection refused I changed the port as recommended by a previous tutorial.

  • Gravatar p.h.i.l about 1 year

    I tried this on my amazon ec2 virtual machine (running ubuntu 12.10 32-bit server), and on my desktop machine (running ubuntu 12.10 desktop 64-bit) and it does not work. I checked the dir and there is nothing there, and when trying the commands to transfer the key it tells me there were no identities found.

  • Gravatar p.h.i.l about 1 year

    Okay it seems I was succesful this time, the only thing I did different is follow the tutorial. The first 2 times I entered a name for the file when asked for a name, and I also did use a password. I'm thinking it's the former that made it not work, not sure why though. Anyhow..

  • Gravatar p.h.i.l about 1 year

    When trying to connect, it asks me for a password and I did not enter one upon configuration. I guess I'm locked out of my virtual machine.

  • Gravatar p.h.i.l about 1 year

    Totally not working for me. I'm rebuilding my virtual machine for the second time.

  • Gravatar adf about 1 year

    Why enable root login over ssh at all? Add your normal admin user to the admin group, or add an entry to the /etc/sudoers file (as described in https://www.digitalocean.com/community/articles/how-to-add-and-delete-users-on-ubuntu-12-04-and-centos-6) and use sudo. If you need full root login, then just use sudo su - root

  • Gravatar matt about 1 year

    One thing to note if you are moving the pub key manually and creating the authorized_keys file is to make sure it has it's permissions set to 700. sudo chmod 700 ~/.ssh/authorized_keys

  • Gravatar Christian about 1 year

    Question about the Addendum: if I include my public key, will the root user still have a password? If the answer is no, that means step 4 won't make any difference, correct?

  • Gravatar Etel Sverdlov about 1 year

    If you create the droplet with your SSH keys, the root user will not have a password. If you set the keys up later, the root user will have a password and step four would be helpful.

  • Gravatar Jerry about 1 year

    What are the advantages to uploading the public key to Digital Ocean's Addendum?

  • Gravatar Jerry about 1 year

    Never mind. I found another tutorial.

  • Gravatar nicholas.teeple about 1 year

    On Cent6, I created the .ssh directory as a user and it wouldn't work until I replicated the permissions of root's .ssh directory (755) and authorized_keys file (644).

  • Gravatar Peter Oudenes about 1 year

    When i do this and locked me out of the server. Can you still access the server using the console of DigitalOcean within the control panel?

  • Gravatar Ronald Bradford about 1 year

    Remove the need for any editor. $ sudo sed -ie "s/^PermitRootLogin without-password/#&/" /etc/ssh/sshd_config Personally, I would also change PermitRootLogin yes appropriately.

  • Gravatar redteam316 12 months

    If you have configured a different port for ssh(for example, port 54321), then you need to use this instead(with the quotes): ssh-copy-id "[email protected] -p 54321" Can you please update the article?

  • Gravatar Kamal Nasser 12 months

    @Peter Oudenes: Yes. Our remote console does not rely on ssh and will work even if you're locked out of ssh.

  • Gravatar Jamie Schembri 11 months

    How about an option to disable root login upon creation of the droplet? And taking it further, the option to create a new user (e.g. 'admin'), add it to sudoers and give it the public key instead? It sure would save me some time!

  • Gravatar Kamal Nasser 11 months

    @Jamie Schembri Please see the following articles: https://www.digitalocean.com/community/articles/initial-server-setup-with-ubuntu-12-04 https://www.digitalocean.com/community/articles/initial-server-setup-with-centos-6 https://www.digitalocean.com/community/articles/initial-server-setup-with-arch-linux

  • Gravatar Rey Haynes 11 months

    Thanks @nicholas.teeple! For CentOS 6, Instead of permissions 700 for ~/.ssh and 600 for ~/.ssh/authorized_keys....I had to set them to 755 and 644 respectively.

  • Gravatar weeleetan 10 months

    after i follow the tutorial and when i tried to ssh using terminal it show this "Agent admitted failure to sign using the key." And they prompt me for password Can anyone help?

  • Gravatar Kamal Nasser 10 months

    @weeleetan Try running the 'ssh-add' command locally and then try to ssh in again.

  • Gravatar kevin.purnelle 9 months

    Hello, I've followed the instructions but I don't get any reply from the server in step 3 when I add the public key. I use the 'cat' method because osx does not have 'ssh-copy-id' I've generated new keys and given another name to the files. The copy of the public key seems to be ok though. I've checked authorized_keys on the server and it's in there. But then, when I ssh [email protected] I'm prompted for the password. Any idea?

  • Gravatar Kamal Nasser 9 months

    @kevin.purnelle: What's the output of the following command?

    ssh -vvv user@yourdroplet

  • Gravatar kevin.purnelle 9 months

    @Kamal Thanks to your comment I could solve the problem. The output was very long so I decided to look for an answer before posting. Here I'm going to describe my steps as a SSH noob. I think it can be useful for any beginner like me. So, after running the above command: ssh -vvv user@yourdroplet I saw something about identity files. When I created the key, I specified a different rsa filename for Digital Ocean. digitalo_rsa instead of the default one. (I use it for something else) -> There was no mention of it. So after looking a little, I found two things. 1) One can select an identity file when calling ssh like this: ssh -i /path/to/key_rsa user@mydroplet (and it works, I wasn't asked for password) 2) One can create a config file (well, it's nicer that the command in 1) You have to go to your ~/.ssh folder and create a file named 'config' in there, you can add something like this: Host example.com HostName example.com User root IdentityFile ~/.ssh/digitalo_rsa You can add as many of these blocks as needed if you use various keys. Then you can simply > ssh example.com ;) main source: http://ivetetecedor.com/how-to-set-up-an-ssh-config-file-in-mac-os-x/

  • Gravatar Kamal Nasser 9 months

    @kevin.purnelle: That is correct. Trust me, knowing how to look stuff up online can be really useful later on :D

  • Gravatar Julian Wiegmann 9 months

    Hi, there should be an article that explains how to setup users + sudo + SSH key authentication and disable password authentication altogether + fail2ban + disable root login Just to keep it simple for people who don't really know what they are doing :)

  • Gravatar Kamal Nasser 9 months

    @Julian: Re: users, sudo, SSH key auth, disabling root login; We have an article on that: https://www.digitalocean.com/community/articles/initial-server-setup-with-ubuntu-12-04 :] As for fail2ban: https://www.digitalocean.com/community/articles/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04 You can disable password authentication by editing /etc/ssh/sshd_config and setting the PasswordAuthentication directive to 'no'.

  • Gravatar tanin.cs07 8 months

    what should i do as i have forgot my passphrase.How to retrieve my old passphrase or how to remove the old one create a new key pair? I am in danger please help me.

  • Gravatar Kamal Nasser 8 months

    @tanin.cs07: You can't retrieve a key's passphrase. The only options you have are: 1) Remember the passphrase 2) Generate a new ssh key pair Back up your current ssh key:

    mv ~/.ssh/id_rsa ~/.ssh/id_rsa.bak
    rm ~/.ssh/id_rsa.pub
    Generate a new ssh key pair (this time, make sure you specify a passphrase you won't forget):
    ssh-keygen -t rsa
    Reset your droplet's root password using our control panel, log in to your droplet through the console, set PermitRootLogin to yes (Step 4), restart ssh and run this command locally (on your computer):
    ssh-copy-id root@droplet'sIP
    Then log back in to your droplet via SSH and redo Step 4 (set it to without-password and restart ssh). You should now be able to access your droplet.

  • Gravatar gamesandgadgetz 8 months

    I'm using cygwin terminal to generate my public key but it returns a " -bash: ssh-keygen:? command not found " error please help

  • Gravatar Kamal Nasser 8 months

    @gamesandgadgetz: Install the openssl cygwin package.

  • Gravatar annanagy49 7 months

    password using our control panel, log in to -" error please help,,ssh-keygen:? access your droplet.

  • Gravatar annanagy49 7 months

    Reset your droplet's root password using - my public key but it returns a " -mv ~/.ssh/id_rsa ~/.ssh/id_rsa.bak

  • Gravatar annanagy49 7 months

    : users, sudo, SSH key auth, disabling root login; We have an article on that: specified a different rsa filename for Digital Ocean. digitalo_rsa instead of the default one. (I use it for something else) -> There was no mention of it.Warning: Permanently added '12.34.56.78'

  • Gravatar santoshss 7 months

    Thanks much for explaining in detail. I Was having idea about algorithms on public key and private key. When you explained conceptually on client and servers I got an overview about it in a very quick short of time. Thanks again

  • Gravatar Kamal Nasser 7 months

    @annanagy49: I'm not sure what you mean -- can you please explain in one comment?

  • Gravatar nadrattia 7 months

    thanks

  • Gravatar ikennaokpala 7 months

    Create an alias like this: alias ssh-copy="cat ~/.ssh/id_rsa.pub | ssh $1 'cat >> ~/.ssh/authorized_keys'" use like this ssh-copy [email protected]

  • Gravatar gareth 6 months

    ssh-copy-id isn't on OSX (ML) - but there's a great article here: http://www.jacobtomlinson.co.uk/2013/01/24/ssh-copy-id-os-x/ which tells you how to install it….

  • Gravatar info 6 months

    I hav? done exactly as on tutorial, copied content of Public Key to authorised_keys nut I am still getting password prompt when I login via ssh. What is wrong?

  • Gravatar Kamal Nasser 6 months

    @info: Is it authorised_keys or authorized_keys?

  • Gravatar info 6 months

    it is authorized_keys, sorry for mistake here. I got my root account working with SSH (with no password) but for my second user (not root) it does not work. How to make this work with my second user? Can I use the same public key?

  • Gravatar Kamal Nasser 6 months

    @info: You can use the same public key, just make sure that the second authorized_keys is in /home/youruser/.ssh.

  • Gravatar info 5 months

    yes, i did that several times with no luck. I have put public key in user's authorized_keys folder and still got prompt for password. There is nothing I can faint in logs related to auth failure...

  • Gravatar Roger Qiu 5 months

    I was trying to do this by adding an ssh key to an existing droplet. My first droplet had a password emailed to me. However after I added the key using cat .ssh/id_rsa.pub | ssh [email protected] "cat >> ~/.ssh/authorized_keys" but I still get prompted for that original password? This was on Windows using the github provided command line. I decided to destroy the server and restart using the GUI. Any help?

  • Gravatar Roger Qiu 5 months

    Oh I had to use ssh-add the key on the client.

  • Gravatar Dan Bohea 5 months

    cat .ssh/id_rsa.pub | ssh [email protected] "cat >> ~/.ssh/authorized_keys" should probably be changed to cat ~/.ssh/id_rsa.pub | ssh [email protected] "cat >> ~/.ssh/authorized_keys" (added "~/" prefix to ".ssh/id_rsa.pub")

  • Gravatar Kamal Nasser 5 months

    @Dan: Updated. Thanks!

  • Gravatar miklb 5 months

    Just a note on Debian, reload isn't recognized, had to use `sudo /etc/init.d/ssh restart`

  • Gravatar Ryan Foote 5 months

    I tried copying the key and got the following error: /home/user/.ssh/authorized_keys: Is a directory How did that happen and what do I do?

  • Gravatar Kamal Nasser 5 months

    @Ryan: Check if there are any files in it and if not you can safely remove it:

    sudo rm -r /home/user/.ssh/authorized_keys
    and then recreate it properly as a file.

  • Gravatar tim 5 months

    assuming I have my keys set up, what do I use for user and host names in my SFTP client? (transmit) I have other ssh keys set up fine with transmit but can't get this to work.

  • Gravatar Kamal Nasser 5 months

    @tim: Simply enter the username that you added the SSH key to and your droplet's IP as the host.

  • Gravatar alikkalfizal 5 months

    There is no help here for a Windows user for ssh login. Can y

  • Gravatar Pablo of vDevices.com 5 months

    @alikkalfizal, What are you talking about, Willis? Check out How To Create SSH Keys with PuTTY to Connect to a VPS | DigitalOcean.

  • Gravatar administrador 4 months

    Couldn't enable so I rebuilded it and did the following steps: 1) Follow step 1-4 of this tutorial (https://www.digitalocean.com/community/articles/initial-server-setup-with-ubuntu-12-04) 2) Enable SSH Key Everything works great.

  • Gravatar Mark_Cheshire 4 months

    It was driving me crazy for ages that I still needed to use a password after setting up the SSH keys. I even lost a precious AMS droplet, because I wanted to redo everything from scratch. The final solution after trial and error, was that authorized_keys was not the same as the public key in my client. I deleted authorized_keys and instead of using ssh-copy-id, I used the alternative "cat" method. That worked perfectly first time.

  • Gravatar hugoferreira.pt 4 months

    I kept getting a "file does not exist" error using the cat command... I ended up using this command instead, makes since since I think I had make the authorized_keys folder: cat ~/.ssh/id_rsa.pub | ssh "(cat > tmp.pubkey ; mkdir -p .ssh ; touch .ssh/authorized_keys ; sed -i.bak -e '/$(awk '{print $NF}' ~/.ssh/id_rsa.pub)/d' .ssh/authorized_keys; cat tmp.pubkey >> .ssh/authorized_keys; rm tmp.pubkey)" here's the source:http://www.commandlinefu.com/commands/view/10228/...if-you-have-sudo-access-you-could-just-install-ssh-copy-id-mac-users-take-note.-this-is-how-you-install-ssh-copy-id- hope it helps someone, and thx for the nice tutorials making life easier for a noob like me :D

  • Gravatar Asendia Mayco 3 months

    While SSH Key is indeed more secure, this top answer shed some light http://security.stackexchange.com/questions/33381/ssh-password-vs-key-authentication

  • Gravatar alex 3 months

    You make a great tutorials, but you starting from recommendation changing ssh port, and that's makes impossible to send the ssh key to remote host using the method you provide here... The same like you recomend to disable root login but don't provide any solution how to manage files using sftp client, where you can't "su root" to see the files.

  • Gravatar sharondio 3 months

    I've confirmed that my keys are in the authorized_keys file for both root (~/.ssh/authorized_keys) and my created user (/home/[myname]/.ssh/authorized_keys). But I still can't login without password. Very frustrated.

  • Gravatar sharondio 3 months

    OK, finally got a 'nix friend to help out. What I needed to do was to login with: ssh -i ~/.ssh/digitalocean_rsa user@host I'm on MacOS Mavericks and my droplet is Ubuntu 12.04.3. I generated a separate key name for this and I needed to confirm that this key was in my known_hosts file on my client machine. But none of it worked until I did the login passing in my private key and it added it to my Mac keychain.

  • Gravatar codetempo 3 months

    Is it possible to do this with a new user account and not the root? i was trying to do this on a new user, thanks

  • Gravatar Kamal Nasser 2 months

    @codetempo: Yes, it's possible to do it on a regular user account.

  • Gravatar Dvid Silva 2 months

    There's a very cool port of ssh-copy-id for osx

  • Gravatar Dvid Silva 2 months

    in :) https://github.com/beautifulcode/ssh-copy-id-for-OSX * sorry

  • Gravatar kheel 2 months

    How can I set it up to allow both SSH SFTP and SSL SFTP? I'm trying to install a wordpress template and it doesn't like SSH SFTP, only SSL SFTP.

  • Gravatar mads 2 months

    I 'm trying to copy the Public key to my droplet using: ssh-copy-id [email protected] -p1234 It results in this timeout: connect to host 111.222.333.444 port 22: Operation timed out I have setup a basic firewall vith iptable restrictions using the D.O. guide. Port 1234 has been setup as a SSH exception following the D.O. guide. Seems like the request for the designated SSH port 1234 gets ignored as it defaults to port 22. Any ideas?

  • Gravatar digital.ocean 2 months

    Thanks, nicholas.teeple on your suggestion. I finally got putty to authenticate my new user properly by setting permissions: ~/.ssh to 755 and ~/.ssh/authorized_keys to 644

  • Gravatar Kamal Nasser 2 months

    @mads: Check out http://unix.stackexchange.com/questions/29401/is-it-possible-to-run-ssh-copy-id-on-port-other-than-22.

  • Gravatar foykes about 1 month

    HI, thank you for article. If I added one ssh key, how I can add another computer? Sorry for this question - I'm new to this

  • Gravatar Kamal Nasser about 1 month

    @foykes: Simply append the second ssh key to the authorized_keys file (on a new line).

  • Gravatar benjispeer about 1 month

    On my home computer I successfully created the keys, but then when I used the copy id it told me "no identities found"

  • Gravatar gert.van.oss about 1 month

    maybe a step mkdir ~/.ssh on the host should be added as this directory is not available from scratch when a new user has been added (it is mentioned somewhere above but not to clear imho).

  • Gravatar james mcfarland about 1 month

    I expect I'll be working with multiple machines using SSH, as I like this way of doing things (oh yeah, I'm a linux noob)...so although I've never seen anyone recommend this, I've been naming my ssh key files by prepending a name that helps me understand what the key is for (as I expect to have multiple in my ~/.ssh folder). Something to remember when doing this >>> Use the -i option to point to the correct key files when signing in via ssh (see man ssh for details). One more thing, if you are having trouble signing in, use the -vvv option (per William at DO - thanks William) - it will show you lots of stuff, and that's how I figured out I need to specify the name of the key file (it was assuming the standard id_rsa) These tutorials are great btw.

  • Gravatar info about 1 month

    I am on Windows and can't do the ssh-copy-id. I am using the second method but I get a 'cat: /home/username/.ssh/authorized_keys: No such file or directory' error. I created the .ssh dir, but I am getting the same message. I also created an authorized_keys dir, but still the same.

  • Gravatar ben about 1 month

    This will not work unless the permissions are correct. Check with these commands on your Droplet. Of course, replacing 'user' with your username: chown -R user ~user/.ssh chmod -R go-rwx ~user/.ssh

  • Gravatar Enrique Moreno about 1 month

    If you disable the login through password, and for some reason you lost your public key (for instance, the HD of your laptop broke), how would you log in back again? Wouldn't you be locked out of your VPS?

  • Gravatar Kamal Nasser 25 days

    @Enrique: You can use the Remote Console to log in to your droplet as it connects to it through the hypervisor so you can use it even if you're locked out.

  • Gravatar Sam Hagan 24 days

    I had no issues creating the key and using ssh-copy-id, but for some reason i'm not being asked for the passphrase i set in order to log on. Is there something i need to do to get this part to work?

  • Gravatar jenny33 23 days

    There is an article about SSH login without password which in very detailed explanation. http://namhuy.net/2433/ssh-login-without-password.html which one you prefer dsa or rsa?

  • Gravatar digitalocean 23 days

    For beginners on a Mac I would recommend this tutorial: http://content2zero.com/setting-ssh-keys-access-cpanel-controlled-web-site-mac

  • Gravatar a.starr.b 21 days

    @jenny33 RSA is generally the preferred choice these days.

  • Gravatar Erich Szabó 20 days

    I would add that "PermitRootLogin without-password" only applies to root exclusively, and no other users, which is misleading, because all users are mentioned in the article: "Within that file, find the line that includes PermitRootLogin and modify it to ensure that users can only connect with their SSH key:" I tested myself, you can still log in with a password for non-root users, hence brute-force attacks are possible. To disable password authentication, you must uncomment this line: PasswordAuthentication no

  • Gravatar sunil 14 days

    I'm having an issue: I've got these lines in my ssh_config: PermitRootLogin no PasswordAuthentication no DenyUsers root I _have_ restarted ssh. Yet, root is still able to login. And if root logs in, a password is requested. What could be going on here?

  • Gravatar Kamal Nasser 14 days

    @sunil: Are you able to log in if you enter root's password?

  • Gravatar zaid.atq 7 days

    i am trying to connect my windows laptop to linux server in which If i created the key from linux and copied into windows and made a private and public key then windows machine is not going to connect to whom from where we generated the key but i may connect to the rest of PC connected in lan parallely with linux machine from where we generate the key i don't understand how to resolve this problem plz can any body help me

  • Gravatar Andrew SB 6 days

    @zaid.atq: If you're trying to connect to your Linux server from your Windows laptop, you can use Putty to generate the SSH keys on the laptop itself. Check out this tutorial: https://www.digitalocean.com/community/articles/how-to-create-ssh-keys-with-putty-to-connect-to-a-vps

  • Gravatar adam 5 days

    Bookmarked! Please don't go down, ever :-)

Leave a Comment

Create an account or login:
Ajax-loader