How to Upload an SSH Public Key to an Existing Droplet

There are several ways to add your public key to a server:

  • Using ssh-copy-id, which is included in many Linux distributions’ OpenSSH packages. This is a good choice when you have password-based SSH access.
  • By copying the contents of the key and piping the contents into the ~/.ssh/authorized_keys file. This is a good choice when you have password-based SSH access but don’t have ssh-copy-id.
  • By adding the public key manually, which is necessary if you do not have password-based SSH access.

With ssh-copy-id and Password-Based Access

You can copy your SSH key using ssh-copy-id, substituting in the IP address of your Droplet.

ssh-copy-id username@203.0.113.0

This will prompt you for the user account’s password on the remote system:

The authenticity of host '203.0.113.0 (203.0.113.0)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:EX:AM:PL:E0:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@203.0.113.0's password:

After typing in the password, the contents of your ~/.ssh/id_rsa.pub key will be appended to the end of the user account’s ~/.ssh/authorized_keys file:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'username@203.0.113.0'"
and check to make sure that only the key(s) you wanted were added.

After entering the password, it will copy your key, and you can log in without a password.

With ssh and Password-Based Access

If you do not have the ssh-copy-id utility available, but still have password-based SSH access to the remote server, you can pipe the contents of the key into the ssh command.

On the remote side, make sure the ~/.ssh directory exists, and then append the piped contents into the ~/.ssh/authorized_keys file. Substitute the IP address for your Droplet.

cat ~/.ssh/id_rsa.pub | ssh username@203.0.113.0 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

You will be asked to supply the password for the remote account:

The authenticity of host '203.0.113.0 (203.0.113.0)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:EX:AM:PL:E0:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
username@203.0.113.0's password:

After entering the password, it will copy your key, and you can log in without a password.

Without Password-Based Access

If you do not have password-based SSH access available, you will have to add your public key to the remote server manually.

On your local machine, output the contents of your public key.

cat ~/.ssh/id_rsa.pub

Copy the output.

ssh-rsa EXAMPLEzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1Rfz3K2B+ZVIpSDfki9UVKzT8JUmwW6NNzSgxUfQHGwnW7kj4jp4AT0VZk3ADw497M2G/12N0PPB5CnhHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o8U77+xiFxgI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/zkOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/2FWYepz6ZlN70bRly57Q06J+ZJoc9FfBCbCyYH7U/ASsmY095ywPsBo1XQ9PqhnN1/YOorJ068foQDNVpm146mUpILVxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/lERo9oxRm5JFX6TCmj6kmiFqv+Ow9gI0x8GvaQ== username@203.0.113.0

Log into your Droplet and create the ~/.ssh directory if it does not already exist:

mkdir -p ~/.ssh

Add the key to the ~/.ssh/authorized_keys. Make sure to substitute the contents of your public key.

echo "ssh-rsa EXAMPLEzaC1yc2E...GvaQ== username@203.0.113.0" >> ~/.ssh/authorized_keys

The ~/.ssh directory and authorized_keys file must have specific restricted permissions (700 for ~/.ssh and 600 for authorized_keys). If they don’t, you won’t be able to log in.

Make sure the permissions and ownership of the files are correct.

chmod -R go= ~/.ssh
chown -R $USER:$USER ~/.ssh

You can now log in without a password.