We hope you find this tutorial helpful. In addition to guides like this one, we provide simple cloud infrastructure for developers. Learn more →

How To Use SSH Keys with DigitalOcean Droplets

Posted Dec 3, 2012 534.6k views Linux Basics DigitalOcean System Tools Security


Note: This guide is for Mac OS X and Linux users. If you are using Windows on your home computer, follow this guide instead.

Usually, when you spin up your DigitalOcean droplets, you get an email as soon as the process completes, letting you know the droplet’s IP address and password. Although this email is very convenient, there is a more secure (and faster) way of gaining access to your server without the need for email. This can be done by setting up SSH keys.

The SSH keys are a key pair made between your computer and the server that allows the server to connect if it sees the matching key on the machine from which you are logging in. While a password can eventually be cracked with a brute force attack, SSH keys are nearly impossible to decipher by brute force alone.You can create new DigitalOcean droplets with an SSH key already set up on them by adding your computer’s SSH key to the control panel.

Step One—Create the RSA Key Pair

The first step is to create the key pair on the client machine (there is a good chance that this will just be your computer):

ssh-keygen -t rsa

Step Two—Store the Keys and Passphrase

Once you have entered the Gen Key command, you will get a few more questions:

Enter file in which to save the key (/demo/.ssh/id_rsa):

You can press enter here, saving the file to the user home (in this case, my example user is called demo).

Enter passphrase (empty for no passphrase):

It's up to you whether you want to use a passphrase The entire key generation process looks like this:

ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/demo/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /demo/.ssh/id_rsa.
Your public key has been saved in /demo/.ssh/id_rsa.pub.
The key fingerprint is:
4a:dd:0a:c6:35:4e:3f:ed:27:38:8c:74:44:4d:93:67 demo@a
The key's randomart image is:
+--[ RSA 2048]----+
|          .oo.   |
|         .  o.E  |
|        + .  o   |
|     . = = .     |
|      = S = .    |
|     o + = +     |
|      . o + o .  |
|           . o   |
|                 |

The public key is now located in /demo/.ssh/id_rsa.pub The private key (identification) is now located in /demo/.ssh/id_rsa

Step Three—Copy the SSH Keys

Note: If you would like to use the DigitalOcean API to add new SSH keys to your account, please refer to the API Documentation. Otherwise, continue reading.

Once you have your SSH key set up, it is time to copy it into your control panel. Open the SSH Page and click on the Create a New SSH Key button.

A popup should appear.

SSH key popup

For the section labeled "Name", write in the name of the machine that you created the key pair on (eg. "Home Computer")

For the section labeled "Public SSH Key", copy and paste the public key that you created in Step 2.

You can usually get this key by copying the results of:

 cat ~/.ssh/id_rsa.pub

Click on Save.

Step Four—Spin Up a New Server

The previous steps have explained how to set up a server with pre-installed SSH keys. You cannot, however, use the control panel to add keys to already created droplets.

In order to add additional keys to pre-existing droplets, you can paste in the keys using SSH:

cat ~/.ssh/id_rsa.pub | ssh root@[your.ip.address.here] "cat >> ~/.ssh/authorized_keys"

When actually spinning up a new server, select the keys that you would like installed on your server from the "Create a Droplet" screen. You can select as many keys as you like:

ssh key shortcut

Once you click on the SSH key, the text saying, "Your root password will be emailed to you" will disappear, and you will not receive an email confirmation that your server has been created.

Step Five—Connect to your Server

After you have created your server with the SSH keys pre-installed, you can connect to it the same way as before:

ssh root@[your.ip.address.here]

However, now when you connect from a machine that shares the key pair, there will be no need to enter a password to log into the root user.

Host Key Warning

If you happened to destroy a droplet directly prior to creating the one that you are connecting to, you may see a message like this:

Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.

If this is the case, your new droplet probably has the same IP address as the old, destroyed droplet, but a different host SSH key. This is fine, and you can remove the warning, by deleting the old droplet's host key from your system, by running this command:

ssh-keygen -R [your.ip.address.here]

Now try connecting to your server again.

Step Six—Lockdown Root SSH Access to Keys Only

After you have confirmed that you can now login as root to the server without being prompted for a password you can disable password logins for root. This makes your server more secure since no one can brute force your SSH password.

It's necessary to edit the server's SSHd configuration /etc/ssh/sshd_config and update the following line to now read:

PermitRootLogin without-password

Now it's necessary to restart or rehup the sshd process to have it re-read the new configuration. This can be done via the following:

# ps auxw | grep ssh
root       681  0.0  0.1  49948  2332 ?        Ss    2012   3:23 /usr/sbin/sshd -D
# kill -HUP 681

Now your server's root login is protected and you can test this by trying to SSH directly as root to this server from a system that doesn't have its keys shared and you will be automatically kicked out without being prompted for a root password.

By Etel Sverdlov


Creative Commons License