How To Use SSH Keys with DigitalOcean Droplets
Note: This guide is for Mac OS X and Linux users. If you are using Windows on your home computer, follow this guide instead.
Usually, when you spin up your DigitalOcean droplets, you get an email as soon as the process completes, letting you know the droplet’s IP address and password. Although this email is very convenient, there is a more secure (and faster) way of gaining access to your server without the need for email. This can be done by setting up SSH keys.
The SSH keys are a key pair made between your computer and the server that allows the server to connect if it sees the matching key on the machine from which you are logging in. While a password can eventually be cracked with a brute force attack, SSH keys are nearly impossible to decipher by brute force alone.You can create new DigitalOcean droplets with an SSH key already set up on them by adding your computer’s SSH key to the control panel.
Step One—Create the RSA Key Pair
The first step is to create the key pair on the client machine (there is a good chance that this will just be your computer):
ssh-keygen -t rsa
Step Two—Store the Keys and Passphrase
Once you have entered the Gen Key command, you will get a few more questions:
Enter file in which to save the key (/demo/.ssh/id_rsa):
You can press enter here, saving the file to the user home (in this case, my example user is called demo).
Enter passphrase (empty for no passphrase):
It's up to you whether you want to use a passphrase The entire key generation process looks like this:
ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/demo/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /demo/.ssh/id_rsa. Your public key has been saved in /demo/.ssh/id_rsa.pub. The key fingerprint is: 4a:dd:0a:c6:35:4e:3f:ed:27:38:8c:74:44:4d:93:67 demo@a The key's randomart image is: +--[ RSA 2048]----+ | .oo. | | . o.E | | + . o | | . = = . | | = S = . | | o + = + | | . o + o . | | . o | | | +-----------------+
The public key is now located in /demo/.ssh/id_rsa.pub The private key (identification) is now located in /demo/.ssh/id_rsa
Step Three—Copy the SSH Keys
Note: If you would like to use the DigitalOcean API to add new SSH keys to your account, please refer to the API Documentation. Otherwise, continue reading.
Once you have your SSH key set up, it is time to copy it into your control panel. Open the SSH Page and click on the Create a New SSH Key button.
A popup should appear.
For the section labeled "Name", write in the name of the machine that you created the key pair on (eg. "Home Computer")
For the section labeled "Public SSH Key", copy and paste the public key that you created in Step 2.
You can usually get this key by copying the results of:
Click on Save.
Step Four—Spin Up a New Server
The previous steps have explained how to set up a server with pre-installed SSH keys. You cannot, however, use the control panel to add keys to already created droplets.
In order to add additional keys to pre-existing droplets, you can paste in the keys using SSH:
cat ~/.ssh/id_rsa.pub | ssh root@[your.ip.address.here] "cat >> ~/.ssh/authorized_keys"
When actually spinning up a new server, select the keys that you would like installed on your server from the "Create a Droplet" screen. You can select as many keys as you like:
Once you click on the SSH key, the text saying, "Your root password will be emailed to you" will disappear, and you will not receive an email confirmation that your server has been created.
Step Five—Connect to your Server
After you have created your server with the SSH keys pre-installed, you can connect to it the same way as before:
However, now when you connect from a machine that shares the key pair, there will be no need to enter a password to log into the root user.
Host Key Warning
If you happened to destroy a droplet directly prior to creating the one that you are connecting to, you may see a message like this:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. ...
If this is the case, your new droplet probably has the same IP address as the old, destroyed droplet, but a different host SSH key. This is fine, and you can remove the warning, by deleting the old droplet's host key from your system, by running this command:
ssh-keygen -R [your.ip.address.here]
Now try connecting to your server again.
Step Six—Lockdown Root SSH Access to Keys Only
After you have confirmed that you can now login as root to the server without being prompted for a password you can disable password logins for root. This makes your server more secure since no one can brute force your SSH password.
It's necessary to edit the server's SSHd configuration
/etc/ssh/sshd_config and update the following line to now read:
Now it's necessary to restart or rehup the sshd process to have it re-read the new configuration. This can be done via the following:
# ps auxw | grep ssh USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 681 0.0 0.1 49948 2332 ? Ss 2012 3:23 /usr/sbin/sshd -D
# kill -HUP 681
Now your server's root login is protected and you can test this by trying to SSH directly as root to this server from a system that doesn't have its keys shared and you will be automatically kicked out without being prompted for a root password.