By Etel Sverdlov and Brian Boucheron
Introduction
The Secure Shell Protocol (or SSH) is a cryptographic network protocol that allows users to securely access a remote computer over an unsecured network.
Though SSH supports password-based authentication, it is generally recommended that you use SSH keys instead. SSH keys are a more secure method of logging into an SSH server, because they are not vulnerable to common brute-force password hacking attacks.
Generating an SSH key pair creates two long strings of characters: a public and a private key. You can place the public key on any server, and then connect to the server using an SSH client that has access to the private key.
When the public and private keys match up, the SSH server grants access without the need for a password. You can increase the security of your key pair even more by protecting the private key with an optional (but highly encouraged) passphrase.
Note: If you are looking for information about setting up SSH keys in your DigitalOcean account, please refer to our DigitalOcean product documentation on SSH Keys
Step 1 — Creating the Key Pair
The first step is to create a key pair on the client machine. This will likely be your local computer. Type the following command into your local command line:
OutputGenerating public/private ed25519 key pair.
You will see a confirmation that the key generation process has begun, and you will be prompted for some information, which we will discuss in the next step.
Note: if you are on an older system that does not support creating ed25519 key pairs, or the server you’re connecting to does not support them, you should create a strong rsa keypair instead:
This changes the -t “type” flag to rsa, and adds the -b 4096 “bits” flag to create a 4096 bit key.
Step 2 — Specifying Where to Save the Keys
The first prompt from the ssh-keygen command will ask you where to save the keys:
OutputEnter file in which to save the key (/home/sammy/.ssh/id_ed25519):
You can press ENTER here to save the files to the default location in the .ssh directory of your home directory.
Alternately, you can choose another file name or location by typing it after the prompt and hitting ENTER.
Step 3 — Creating a Passphrase
The second and final prompt from ssh-keygen will ask you to enter a passphrase:
OutputEnter passphrase (empty for no passphrase):
It’s up to you whether you want to use a passphrase, but it is strongly encouraged: the security of a key pair, no matter the encryption scheme, still depends on the fact that it is not accessible to anyone else.
Should a private key with no passphrase fall into an unauthorized user’s possession, they will be able to log in to any server you’ve configured with the associated public key.
The main downside to having a passphrase — typing it in — can be mitigated by using an ssh-agent service, which will temporarily store your unlocked key and make it accessible to the SSH client. Many of these agents are integrated with your operating system’s native keychain, making the unlocking process even more seamless.
To recap, the entire key generation process looks like this:
OutputGenerating public/private ed25519 key pair.
Enter file in which to save the key (/home/sammy/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/sammy/.ssh/id_ed25519
Your public key has been saved in /home/sammy/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:EGx5HEXz7EqKigIxHHWKpCZItSj1Dy9Dqc5cYae+1zc sammy@hostname
The key's randomart image is:
+--[ED25519 256]--+
| o+o o.o.++ |
|=oo.+.+.o + |
|*+.oB.o. o |
|*. + B . . |
| o. = o S . . |
|.+ o o . o . |
|. + . ... . |
|. . o. . E |
| .. o. . . |
+----[SHA256]-----+
The public key is now located in /home/sammy/.ssh/id_ed25519.pub. The private key is now located in /home/sammy/.ssh/id_ed25519.
Step 4 — Copying the Public Key to Your Server
Once the key pair is generated, it’s time to place the public key on the server that you want to connect to.
You can copy the public key into the server’s authorized_keys file with the ssh-copy-id command. Make sure to replace the example username and address:
Once the command completes, you will be able to log into the server via SSH without being prompted for a password. However, if you set a passphrase when creating your SSH key, you will be asked to enter the passphrase at that time. This is your local ssh client asking you to decrypt the private key, it is not the remote server asking for a password.
Step 5 — Disabling Password-based SSH Authentication (Optional)
Once you have copied your SSH keys onto the server, you may want to completely prohibit password logins by configuring the SSH server to disable password-based authentication.
Warning: before you disable password-based authentication, be certain you can successfully log onto the server with your SSH key, and that there are no other users on the server using passwords to log in.
In order to disable password-based SSH authentication, open up the SSH configuration file. It is typically found at the following location:
This command will open up the file within the nano text editor. Find the line in the file that includes PasswordAuthentication (or create the line if it doesn’t exist), make sure it is not commented out with a # at the beginning of the line, and change it to no:
PasswordAuthentication no
Save and close the file when you are finished. In nano, use CTRL+O to save, hit ENTER to confirm the filename, then CTRL+X to exit.
Reload the sshd service to put these changes into effect:
Before exiting your current SSH session, make a test connection in another terminal to verify you can still connect.
Conclusion
In this tutorial we created an SSH key pair, copied our public key to a server, and (optionally) disabled password-based authentication completely.
For more information about SSH and the SSH service, including how to set up multifactor authentication, please read our related tutorials:
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
About the author(s)
Former Director of Community at DigitalOcean. Expert in cloud topics including LAMP Stack, CentOS, Ubuntu, MySQL, SSL certificates, and more.
Senior Technical Writer at DigitalOcean
Still looking for an answer?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
If you don’t have ssh-copy-id you can use the following command: cat ~/.ssh/id_rsa.pub | ssh user@machine “cat >> ~/.ssh/authorized_keys”
Dear Digital Ocean. You guys make the best tutorials. Thank you so much.
Great article, but what if your client is a Windows box and you’ve generated your public key with Puttygen, then need to transfer it to your VPS? Is there any way to copy-paste the public key, for example using nano? I’d rather not create a completely new server using the ‘Addendum’ method.
If you are copying the key over to a server you can certainly SSH and in and use nano/vi or any other editor and copy and paste it in. Just make sure that the formatting is preserved and no new line characters are added.
If I misunderstood the question let me know.
Wow, thanks for the quick reply on a Sunday night :-) I tried that and must have made a mistake as I couldn’t get it to work. I had created a way too large DSA key anyway. Since I’m trying to learn anyway, I’ve decided to recreate a droplet from scratch and get this down before I proceed. I’ll try integrating the SSH key through your ‘addendum’ method next time. I’m assuming I can just copy-paste the entire key, or do I have to omit lines like '---- BEGIN SSH2 PUBLIC KEY ---- Comment: “rsa-key-20130121”?
I think you may be looking at the wrong file possibly, because when the key is created the public one that you should be sharing doesn’t have any comments, so you can copy and paste it directly.
Please make sure that you are copying and pasting from the file that ends in “.pub”
I’m pretty sure I had the correct file, but to make sure I’ve put an exact copy/paste on Pastebin: http://pastebin.com/Hzi30uMM Apparently puttygen adds lines Linux doesn’t?
On Linux you would get : ssh-dss AAAAB3NzaC1yc2EAAAABJQAAAQEAgj… user@host
That should all be on one-line, the ssh-dss portion is because the key was created with dsa instead of rsa.
But thats what it should look like and you should paste it in on one line.
Right. Just to make sure I’ve got everything down correctly: if my username were ocean and my IP were 185.14.185.149, and my key were in ssh2-rsa the correct format would be:
ssh-rsa [key with all line breaks removed] ocean@185.14.185.149
Which I can then add to the Digital Ocean control panel and will be integrated in any future droplets I create.
Correct? Thanks!
When you create the key it will be created with your username@host the key was created on, it’s not related to the user / IP you are sshing to. It’s also optional and not necessary to be included.
Thanks for the clarification; puttygen does not add username@host data so I was under the impression I would have to manually add it. I’ll leave it out then.
If you open the private key with puttygen, there’s a box with the public key in openssh format http://i.imgur.com/1Cv0kmu.png
Copy and paste that into ~/.ssh/authorized_keys
I cannot finish step 3. I get blah blah blah port 22: Connection refused
I changed the port as recommended by a previous tutorial.
I tried this on my amazon ec2 virtual machine (running ubuntu 12.10 32-bit server), and on my desktop machine (running ubuntu 12.10 desktop 64-bit) and it does not work. I checked the dir and there is nothing there, and when trying the commands to transfer the key it tells me there were no identities found.
Okay it seems I was succesful this time, the only thing I did different is follow the tutorial. The first 2 times I entered a name for the file when asked for a name, and I also did use a password. I’m thinking it’s the former that made it not work, not sure why though. Anyhow…
When trying to connect, it asks me for a password and I did not enter one upon configuration. I guess I’m locked out of my virtual machine.
Totally not working for me. I’m rebuilding my virtual machine for the second time.
Why enable root login over ssh at all? Add your normal admin user to the admin group, or add an entry to the /etc/sudoers file (as described in https://www.digitalocean.com/community/articles/how-to-add-and-delete-users-on-ubuntu-12-04-and-centos-6) and use sudo. If you need full root login, then just use sudo su - root
One thing to note if you are moving the pub key manually and creating the authorized_keys file is to make sure it has it’s permissions set to 700.
sudo chmod 700 ~/.ssh/authorized_keys
Question about the Addendum: if I include my public key, will the root user still have a password? If the answer is no, that means step 4 won’t make any difference, correct?
If you create the droplet with your SSH keys, the root user will not have a password. If you set the keys up later, the root user will have a password and step four would be helpful.
What are the advantages to uploading the public key to Digital Ocean’s Addendum?
On Cent6, I created the .ssh directory as a user and it wouldn’t work until I replicated the permissions of root’s .ssh directory (755) and authorized_keys file (644).
When i do this and locked me out of the server. Can you still access the server using the console of DigitalOcean within the control panel?
Remove the need for any editor.
$ sudo sed -ie “s/^PermitRootLogin without-password/#&/” /etc/ssh/sshd_config
Personally, I would also change PermitRootLogin yes appropriately.
If you have configured a different port for ssh(for example, port 54321), then you need to use this instead(with the quotes): ssh-copy-id “user@123.45.56.78 -p 54321” Can you please update the article?
@Peter Oudenes: Yes. Our remote console does not rely on ssh and will work even if you’re locked out of ssh.
How about an option to disable root login upon creation of the droplet? And taking it further, the option to create a new user (e.g. ‘admin’), add it to sudoers and give it the public key instead?
It sure would save me some time!
@Jamie Schembri Please see the following articles:
https://www.digitalocean.com/community/articles/initial-server-setup-with-ubuntu-12-04 https://www.digitalocean.com/community/articles/initial-server-setup-with-centos-6 https://www.digitalocean.com/community/articles/initial-server-setup-with-arch-linux
Thanks @nicholas.teeple!
For CentOS 6, Instead of permissions 700 for ~/.ssh and 600 for ~/.ssh/authorized_keys…I had to set them to 755 and 644 respectively.
after i follow the tutorial and when i tried to ssh using terminal it show this “Agent admitted failure to sign using the key.” And they prompt me for password
Can anyone help?
@weeleetan Try running the ‘ssh-add’ command locally and then try to ssh in again.
Hello,
I’ve followed the instructions but I don’t get any reply from the server in step 3 when I add the public key. I use the ‘cat’ method because osx does not have ‘ssh-copy-id’
I’ve generated new keys and given another name to the files.
The copy of the public key seems to be ok though. I’ve checked authorized_keys on the server and it’s in there. But then, when I ssh root@myserver.com I’m prompted for the password.
Any idea?
@kevin.purnelle: What’s the output of the following command?
<pre>ssh -vvv user@yourdroplet</pre>
@Kamal Thanks to your comment I could solve the problem. The output was very long so I decided to look for an answer before posting.
Here I’m going to describe my steps as a SSH noob. I think it can be useful for any beginner like me.
So, after running the above command: ssh -vvv user@yourdroplet I saw something about identity files. When I created the key, I specified a different rsa filename for Digital Ocean. digitalo_rsa instead of the default one. (I use it for something else) -> There was no mention of it.
So after looking a little, I found two things.
-
One can select an identity file when calling ssh like this: ssh -i /path/to/key_rsa user@mydroplet (and it works, I wasn’t asked for password)
-
One can create a config file (well, it’s nicer that the command in 1) You have to go to your ~/.ssh folder and create a file named ‘config’ in there, you can add something like this:
Host example.com HostName example.com User root IdentityFile ~/.ssh/digitalo_rsa
You can add as many of these blocks as needed if you use various keys.
Then you can simply > ssh example.com ;)
main source: http://ivetetecedor.com/how-to-set-up-an-ssh-config-file-in-mac-os-x/
@kevin.purnelle: That is correct. Trust me, knowing how to look stuff up online can be really useful later on :D
Hi,
there should be an article that explains how to setup users + sudo + SSH key authentication and disable password authentication altogether + fail2ban + disable root login
Just to keep it simple for people who don’t really know what they are doing :)
This work is licensed under a Creative Commons Attribution-NonCommercial- ShareAlike 4.0 International License.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.