December 3, 2012

Beginner

How To Use SSH Keys with DigitalOcean Droplets

Background

Note: This guide is for Mac OS X and Linux users. If you are using Windows on your home computer, follow this guide instead.

Usually, when you spin up your DigitalOcean droplets, you get an email as soon as the process completes, letting you know the droplet’s IP address and password. Although this email is very convenient, there is a more secure (and faster) way of gaining access to your server without the need for email. This can be done by setting up SSH keys.

The SSH keys are a key pair made between your computer and the server that allows the server to connect if it sees the matching key on the machine from which you are logging in. While a password can eventually be cracked with a brute force attack, SSH keys are nearly impossible to decipher by brute force alone.You can create new DigitalOcean droplets with an SSH key already set up on them by adding your computer’s SSH key to the control panel.

Step One—Create the RSA Key Pair


The first step is to create the key pair on the client machine (there is a good chance that this will just be your computer):
ssh-keygen -t rsa

Step Two—Store the Keys and Passphrase


Once you have entered the Gen Key command, you will get a few more questions:
Enter file in which to save the key (/demo/.ssh/id_rsa):

You can press enter here, saving the file to the user home (in this case, my example user is called demo).
Enter passphrase (empty for no passphrase):

It's up to you whether you want to use a passphrase

The entire key generation process looks like this:
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/demo/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /demo/.ssh/id_rsa.
Your public key has been saved in /demo/.ssh/id_rsa.pub.
The key fingerprint is:
4a:dd:0a:c6:35:4e:3f:ed:27:38:8c:74:44:4d:93:67 demo@a
The key's randomart image is:
+--[ RSA 2048]----+
|          .oo.   |
|         .  o.E  |
|        + .  o   |
|     . = = .     |
|      = S = .    |
|     o + = +     |
|      . o + o .  |
|           . o   |
|                 |
+-----------------+

The public key is now located in /demo/.ssh/id_rsa.pub

The private key (identification) is now located in /demo/.ssh/id_rsa

Step Three—Copy the SSH Keys


Once you have your SSH key set up, it is time to copy it into your control panel. Open the SSH Page and click on the Create a New SSH Key button.

A popup should appear. SSH key popup

For the section labeled "Name", write in the name of the machine that you created the key pair on (eg. "Home Computer")

For the section labeled "Public SSH Key", copy and paste the public key that you created in Step 2.

You can usually get this key by copying the results of:
 cat ~/.ssh/id_rsa.pub



Click on Save.

Step Four—Spin Up a New Server


The previous steps have explained how to set up a server with pre-installed SSH keys. You cannot, however, use the control panel to add keys to already created droplets.

In order to add additional keys to pre-existing droplets, you can paste in the keys using SSH:
cat ~/.ssh/id_rsa.pub | ssh root@[your.ip.address.here] "cat >> ~/.ssh/authorized_keys"

When actually spinning up a new server, select the keys that you would like installed on your server from the "Create a Droplet" screen. You can select as many keys as you like:

ssh key shortcut

Once you click on the SSH key, the text saying, "Your root password will be emailed to you" will disappear, and you will not receive an email confirmation that your server has been created.

Step Five—Connect to your Server


After you have created your server with the SSH keys pre-installed, you can connect to it the same way as before:
ssh root@[your.ip.address.here]

However, now when you connect from a machine that shares the key pair, there will be no need to enter a password to log into the root user.

Step Six—Lockdown Root SSH Access to Keys Only


After you have confirmed that you can now login as root to the server without being prompted for a password you can disable password logins for root. This makes your server more secure since no one can brute force your SSH password.

It's necessary need to edit the server's SSHd configuration /etc/ssh/sshd_config and update the following line to now read:
PermitRootLogin without-password

Now it's necessary to restart or rehup the sshd process to have it re-read the new configuration. This can be done via the following:
# ps auxw | grep ssh
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root       681  0.0  0.1  49948  2332 ?        Ss    2012   3:23 /usr/sbin/sshd -D
# kill -HUP 681
Now your server's root login is protected and you can test this by trying to SSH directly as root to this server from a system that doesn't have its keys shared and you will be automatically kicked out without being prompted for a root password.


By Etel Sverdlov

Share this Tutorial

Vote on Hacker News

Try this tutorial on an SSD cloud server.

Includes 512MB RAM, 20GB SSD Disk, and 1TB Transfer for $5/mo! Learn more

Create an account or login:

40 Comments

Write Tutorial
  • Gravatar b596161 over 1 year

    thank you very much! :)

  • Gravatar dvogel about 1 year

    But ... It's tricker if you follow the directions for setting up a new Ubuntu server https://www.digitalocean.com/community/articles/initial-server-setup-with-ubuntu-12-04. In the recommended instructions, you are directed to create a new user and disable root access using the sudoer file. So if you follow the above directions, you would not be able to login with the newly created user without a password. Here's the steps I took to make it happen: 1- Login with the new user ssh -p 25000 newuser@[your-server-p] 2- Create a .ssh directory mkdir ~/.ssh 3- Paste in your ssh-key into the file ~/.ssh/authorized_keys nano ~/.ssh/authorized_keys ctrl-x to save Next time, you won't need a password to login

  • Gravatar Etel Sverdlov about 1 year

    Thanks for the suggestion, dvogel!

  • Gravatar sheta3030 about 1 year

    when i follow these steps it always asks me the username and instead of the user password it asks for the key passphrase! what is the use of it if i can still login withouth defining the private key ? I mean I can still login with only my usename and password through Putty without defining the private key ! Am I doing something wrong ?

  • Gravatar Moisey about 1 year

    We've updated the article and added a Step 6 which will lockdown root access so it will no longer request a password and instead function off of SSH keys only. Please make sure that before you do Step 6 you have confirmed that when you login as root you are not prompted for a password and are automatically logged in, otherwise you will lock yourself out and need to use the Console to update your SSHd configuration.

  • Gravatar dragos.m.iorgulescu about 1 year

    Just a quick question, i am new to ubuntu and server set up so don`t judge if it is a simple question. I see you can deny the root login by setting the PermitRootLogin to no, but what if i set up a few other users with valid ssh keys and i want to disable their log in as well so that they can access the server via the ssh key only?

  • Gravatar Arjan Dasselaar about 1 year

    If I understand correctly, in step 6 you're recommending to manage a server using root, albeit with ssh keys? Or do you recommend to create an extra user after step 6 as per https://www.digitalocean.com/community/articles/initial-server-setup-with-ubuntu-12-04? Or can an extra ssh key for a specific user be installed from the control panel as well?

  • Gravatar Moisey about 1 year

    It is personal preference if you rather ssh directly as root or login as a different user and then su to root. However in both cases logging in with the use of SSH keys is much more secure than simply using a root password. Dragos: You can limit it for all users if you like by adding the following to your sshd config: PasswordAuthentication no You can also expressly define inside of the sshd_config as well which users have access: AllowUsers user1,user2,user3

  • Gravatar Arjan Dasselaar about 1 year

    I've created a server succesfully with root login using steps 1-5. In other words, I can login without giving a root password. When I execute step 6 I get locked out with Putty displaying 'Server refused public-key signature despite accepting key!' (The same key that worked before I disabled permitrootlogin). I'll try the old-fashioned way again.

  • Gravatar Moisey about 1 year

    You were logging in as root@server_ip and weren't getting prompted for a password in the process?

  • Gravatar Arjan Dasselaar about 1 year

    Instead of "PermitRootLogin No" I've used "PermitRootLogin without-password". It then works flawlessly.

  • Gravatar Lance McNearney about 1 year

    +1 for the last comment from Arjan Dasselaar. Using "PermitRootLogin No" locks you out with the server refusing the SSH key it accepted before the change.

  • Gravatar marc about 1 year

    I messed up the order of operations and created the droplet before the ssh key. What can be done to add ssh keys to user logins after the fact?

  • Gravatar rbishop87 about 1 year

    @marc: Step Four explains this step.

  • Gravatar Christian about 1 year

    I like the idea of securing my droplet as per step 6. Now what if I lose the ssh key on my client machine (my laptop goes up in smoke, for example)? I first thought I could still get in via your Console Access, but that doesn't seem to be the case.

  • Gravatar ian about 1 year

    @Christian - keep a backup copy of the private key on a USB or other storage medium away from your laptop. Of course you should protect it at step two with a passphrase so it can't simply be used by anyone.

  • Gravatar weeleetan about 1 year

    i wouldn't get it working. when creating droplet i choose two optional ssh key and when i login password needed still show.

  • Gravatar nicloay about 1 year

    Am I correct , that ssh key from step three used only on deployment of new droplets?

  • Gravatar JC 11 months

    I must be missing something, I can't seem to get SSH to work without it asking me for a password. I followed the tutorial, still asked me for a password. I followed dvogel's instructions, still asked me for a password. :(

  • Gravatar webdevotion 11 months

    Same here - on Ubuntu 13.04

  • Gravatar JC 11 months

    I'm on Ubuntu 12.10

  • Gravatar JC 11 months

    Okay, I was finally able to get mine working. Here's what I did: 1) Delete all SSH Keys from the Digital Ocean Control Panel 2) SSH into root@dropletipaddress 3) Enter root password 4) "rm ~/.ssh" (this removes all ssh keys) 5) Remove the .ssh folders for any other users (ex: "cd /home/myuser", then "rm .ssh" 6) On my computer, enter "ssh-keygen -t rsa" 7) Leave the filename empty, just hit enter (it never seemed to work when I made a custom filename) 8) Leave the password empty, just hit enter 9) On my computer, run "cat .ssh/id_rsa.pub | ssh root@dropletipaddress "cat >> ~/.ssh/authorized_keys" 10) Enter root password 11) It should work now. But before logging out of root, open a new Terminal tab/window and try ssh root@dropletipaddress again to see if it still asks you for a password. 12) Once you verify that you are able to login without a password, log in and run "sudo nano /etc/ssh/sshd_config" 13) Find and modify the line that says "PermitRootLogin yes" to "PermitRootLogin without-password" 14) Save the file and reload ssh with "reload ssh" I'm going to try adding keys for more users next...

  • Gravatar JC 10 months

    Okay just a follow-up comment (because I couldn't figure out how to edit/delete the one above). I found a better way to make it work: 1) On your computer, generate the key ("ssh-keygen -t rsa") 2) Name the file whatever you want, but take note of the path you use so you can find it later 3) Copy the key to the server ("cat /path/to/public_key | ssh root@dropletipaddress "cat >> ~/.ssh/authorized_keys") 4) Enter root password 5) Your key is now copied to the server. To SSH in, use this command: ssh -i /path/to/private_key root@dropletipaddress

  • Gravatar Pablo of vDevices.com 10 months

    In Step One, where it reads: "The first step is to create the key pair on the client machine (there is a good chance that this will just be your computer):"... Is that statement assuming that the reader is working on a Linux computer? Or can these steps be carried out on a Windows machine? If so, how?

  • Gravatar Kamal Nasser 10 months

    @Pablo: On windows, you can usually use your ssh client to create an ssh key. If you're using putty, I recommend using putty-gen to generate an ssh key pair.

  • Gravatar Lee Peterson 9 months

    Speaking to those who commented about these instructions not working (specifically, the server still asking for a root password) I just created several Droplets using each of the available OSes, chose my key during the creation process, and it worked flawlessly each time. So, these instructions definitely work and serve as very sound advice from a security/ease of use standpoint. Wish more web hosts provided these kinds of resources and this much detail.

  • Gravatar diego.maia 9 months

    I'm having the same issue (still asking password). I created a droplet and set it to use SSH instead of asking for password. It worked flawlessly at home, but isn't working at my job site. Just added the key to the SSH control panel, but it started asking for the password. I hope it still works at home..=/

  • Gravatar Kamal Nasser 9 months

    @diego.maia: Did you add the SSH public key to the droplet itself or did you just create a new SSH key through our control panel? Adding a public key through our control panel does not add it to your existing droplets, you have to add it to ~/.ssh/authorized_keys manually.

  • Gravatar rcwalsh 7 months

    I've tried following these instructions several times, and it still always asks me for the root password. I'm using Git Bash on Windows 7. This is making it hard for me to switch to Digital Ocean.

  • Gravatar Kamal Nasser 6 months

    @rcwalsh: What command are you running to ssh in? Try adding -i /path/to/id_rsa, does that fix it? Is your public ssh key in /root/.ssh/authorized_keys on the droplet?

  • Gravatar nottinhill 6 months

    I think it is more than safe to say that this article is not one of the best on DO. I think it is missing many procedures and settings of sshd to get this running. A shame - this is such an important topic. Please revise the article thorougly!

  • Gravatar nottinhill 6 months

    One more thing: The authorized key file was empty when my droplet were created. Login did ONLY work with password. Also I was emailed the password - I did not want that! I did put the key in the user front end and clicked on the not-so-buttonly button (representing the key) to color the not-so-buttonly button green in the front end. Please also revise the UX, it is horrible in this regard - logging in to ones server is such an important topic that it leaves users frustrated, from both a UX perspective and a technical perspective (ambiguous UI and email against expectations + no key in droplet)

  • Gravatar nottinhill 6 months

    Listening on a port other than 22 in a brand new droplet is also not possible. - temporary "echo 0 > /selinux/enforce" does not help.(reverse with echo 1..) - "netstat -lntp" shows sshd is listening on 0.0.0.0:1234 (where 1234 is the port I chose). - "lsof -i | grep sshd" shows "sshd TCP *:1234 (LISTEN)". - "iptables -L -n" shows the problem. Default droplet firewall drops ports other than standart ports. So you need to add the according port in your iptable and don't forget to "/etc/init.d/iptables-persistent save" afterwards.

  • Gravatar tony.brown.357 5 months

    I've followed these direction 4 times now and I still get asked for my password when ssh root@ ip

  • Gravatar Kamal Nasser 5 months

    @tony.brown.457: What's the output of

    ssh -vvv root@ip
    when run locally?

  • Gravatar diego.lopez002 4 months

    Useful article, here is a good link to also making use of putty utilities to generate and then connect to your newly deployed droplet using SSH keys. http://www.howtoforge.com/how-to-configure-ssh-keys-authentication-with-putty-and-linux-server-in-5-quick-steps

  • Gravatar diego.lopez002 4 months

    I had the same issues with asking for a password at first, I was using Cygwin and I don't think I was telling the ssh executable to authenticate using the key. I need to verify this on my other machine using the command recommended by @JC -- ssh -i /path/to/private_key root@dropletipaddress

  • Gravatar scene4life21 3 months

    @nottinhill Yes its a shame this tutorial is missing key components to make it work. But i am not surprised. There are a ton of tutorials on digital ocean that do not work, and the reason why is DO let's any Tom, Dick, or Harry post them, which lead to a bunch of half assed tutorials that dont work.

  • Gravatar techspecx about 1 month

    What does the ps auxw | grep ssh tell me? I have more than 1 process showing up when I use that command. What exactly am I looking for when I run that command. Be specific if you are going to make tutorials. We all are NOT genius linux admins. :)

  • Gravatar Kamal Nasser about 1 month

    @techspecx: You're looking for the second column's value in the row that contains "sshd".

Leave a Comment

Create an account or login:
Ajax-loader