By Pablo Carranza
If your headless, or remote, VPS is visible over the Internet, you should use public key authentication instead of passwords, if at all possible. This is because SSH keys provide a more secure way of logging in compared to using a password alone. While a password can eventually be cracked with a brute-force attack, SSH keys are nearly impossible to decipher by brute force alone. With public key authentication, every computer has (i) a public and (ii) a private "key" (two mathematically-linked algorithms that are effectively impossible to crack).
Today, OpenSSH is the default SSH implementation on Unix-like systems such as Linux and OS X. Key-based authentication is the most secure of several modes of authentication usable with OpenSSH, such as plain passwords and Kerberos tickets. Other authentication methods are only used in very specific situations. SSH can use either "RSA" (Rivest-Shamir-Adleman) or "DSA" ("Digital Signature Algorithm") keys. Both of these were considered state-of-the-art algorithms when SSH was invented, but DSA has come to be seen as less secure in recent years. RSA is the only recommended choice for new keys, so this tutorial uses "RSA key" and "SSH key" interchangeably.
When you log in to your DigitalOcean VPS, the SSH server uses the public key to "lock" messages in a way that can only be "unlocked" by your private key. This means that even the most resourceful attacker cannot snoop on, or interfere with, your session. As an extra security measure, some users and most SSH programs store the private key in a passphrase-protected format, to provide a window of time in which you can disable your compromised public key, should your computer be stolen or broken in to. For these reasons, public key authentication is a much better solution than passwords for most people. In fact, by not employing a passphrase on your private key, you will have the ability to automate parts of your configuration management with secure, automatic log-ins, such as incremental off-site backups, manage your DigitalOcean assets via the DigitalOcean API, and more.
You can save the same public key on as many cloud servers as you'd like, while your private key is saved on a client from which you log in to the server. Then, you can disable the normal username/password login procedure, which means that only people with a valid private/public key pair can log in; making your system more secure, because it will be impervious to brute-force attacks.
Another useful purpose that SSH keys can serve is in the creation of DigitalOcean droplets. As you know, when you spin up a droplet, you have to wait for an e-mail with your password. Although this email is very convenient, there is a more secure (and faster) way of gaining access to your new cloud server without the need for email. This can be done by saving your public key in the DigitalOcean Control Panel. To accomplish this:
This tutorial assumes that you are familiar with DigitalOcean's guide on How to Log Into Your Droplet with PuTTY (for windows users).
While PuTTY is a client program for SSH (in addition to Telnet and Rlogin), it is not a port of or otherwise based on OpenSSH. Consequently, PuTTY does not have native support for reading OpenSSH's SSH-2 private key files. However, PuTTY does have a companion named PuTTYgen (an RSA and DSA key generation utility), that can convert OpenSSH private key files into PuTTY's format; allowing you to connect to your cloud server from a Windows machine, with the added security that SSH keys provide.
PuTTYgen is a (free) open-source utility and can be downloaded from the maintainer's website. PuTTYgen is what you will use to generate your SSH keys for use in PuTTY. To start, all you need to do is download the exectuable files (.exe) and save them on the computer that you'll use to connect to your VPS, e.g. on the desktop. You will not need to "install" PuTTYgen, because it is a standalone application.
To generate a set of RSA keys with PuTTYgen:
NOTE: PuTTY and OpenSSH use different formats for public SSH keys. If the SSH Key you copied starts with "---- BEGIN SSH2 PUBLIC KEY ...", it is in the wrong format. Be sure to follow the instructions carefully. Your key should start with "ssh-rsa AAAA ...."
Now, you need to paste the copied public key in the file ~/.ssh/authorized_keys on your server.
mkdir ~/.ssh chmod 0700 ~/.ssh touch ~/.ssh/authorized_keys chmod 0644 ~/.ssh/authorized_keys
sudo vim ~/.ssh/authorized_keys
ikey on your keyboard & right-click your mouse to paste.
In PuTTY, you can create (and save) profiles for connections to your various SSH servers, so you don't have to remember, and continually re-type, redundant information.
Now you can go ahead and log in to email@example.com and you will not be prompted for a password. However, if you had set a passphrase on your public key, you will be asked to enter the passphrase at that time (and every time you log in, in the future).
Once you have verified that your key-based logins are working, you may elect to disable username/password logins to achieve better security. To do this, you need to edit your SSH server's configuration file. On Debian/ Ubuntu systems, this file is located at /etc/ssh/sshd_config.
sudo vim /etc/ssh/sshd_config
i key on your keyboard and edit the lines, referenced below:
[...] PasswordAuthentication no [...] UsePAM no [...]
To save, tap the following keys on your keyboard (in this order):
Enter. Now, reload
the SSH server's configuration:
sudo reload ssh
As always, if you need help with the steps in this HowTo, look to the DigitalOcean Community for assistance by posing your question(s), below.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Click below to sign up and get $200 of credit to try our products over 60 days!
I guess it is better to use sudo /etc/init.d/ssh restart to restart SSH
That command in the tut doesn’t work on my setup so I had to use the one I wrote in my first comment line.
Good luck, and Thanks by the way for the nice tut!
mkdir ~/.ssh chmod 0700 ~/.ssh touch ~/.ssh/authorized_keys chmod 0644 ~/.ssh/authorized_keys This should be a 4-line command, but the new version of the website is all displayed on one line, please check.
droplet yesterday is working well but today give me this error No support authentication methods available (server sent :publickey) when try to access putty or to connect on it by cyperduck or mysql
These instructions seem to be WAY out of date, and no longer work. I’ve tried 2 different keys with Puttygen, and was unable to add them. Error msg said that the key type wasn’t supported - then listed the key type I’d just created as one of the valid ones.
This tutorial’s method of generating keys with PuTTy always generates a PuTTy-format key, which doesn’t work on DigitalOcean.
I need to grant access to a technical support but the only way is to give them the private key to connect through FTP on the server
I’ve read countless of post, SSH here and there, but how I can grant access to a adduser that I’ve created, .ssh/ authorized.keys that I’ve copied in /home/user to grant the access through my server on FTP without asking for private key
do I need to add another SSH on my droplet, create also another SSH for a user, or I can use just one key (that’s what I’m doing, copying the .ssh/ and pasting to users.
Great article. Each step nicely written.
Unfortunately, I am stuck after step “Save The Public Key On The Server”.
I did “Save The Public Key On The Server” step at /root/.ssh which I understand is ~/.ssh because when I tried mkdir ~/.ssh it says that .ssh folder is already available at /root/.ssh
I reset all the permissions at /root/.ssh as said
I was initially login to root using Putty with ip/password/port saved. I tried login that way after “Save The Public Key On The Server” step. I am surprised that it is not asking for any SSH private key!
Still having the alert “Server refused our key” even when i carefully followed all steps above. I’ve uploaded my key to Droplet and yet still having the same error. Can someone kindly guide me?
is it possible to add the key generated by PUTTY to my ubuntu computer? or i need to generate a new one using the ubuntu machine and add it to the server?
If i want additional users to have SSH key how do i do it?