Creating and Using SSH Keys with DigitalOcean
About SSH Keys
SSH keys provide a more secure way of logging into a virtual private server with SSH than using a password alone. While a password can eventually be cracked with a brute force attack, SSH keys are nearly impossible to decipher by brute force alone. Generating a key pair provides you with two long string of characters: a public and a private key. You can place the public key on any server, and then unlock it by connecting to it with a client that already has the private key. When the two match up, the system unlocks without the need for a password. You can increase security even more by protecting the private key with a passphrase.
On Mac or Linux
Step One—Create the RSA Key PairThe first step is to create the key pair on your computer.
ssh-keygen -t rsa
Step Two—Store the Keys and PassphraseOnce you have entered the Gen Key command, you will get a few more questions:
Enter file in which to save the key (/home/USER/.ssh/id_rsa):
You can press enter here, saving the file to the user home (in this case, my example user is called demo).
Enter passphrase (empty for no passphrase):
It's up to you whether you want to use a passphrase. Entering a passphrase does have its benefits: the security of a key, no matter how encrypted, still depends on the fact that it is not visible to anyone else. Still, I recommend that you don't use a passphrase.
The public key is now located in /home/user/.ssh/idrsa.pub The private key (identification) is now located in /home/user/.ssh/idrsa
Step Three—Copy the Public KeyOnce the key pair is generated, it's time to place the public key on the server that we want to use.
You can copy the public key into the new machine's authorized_keys file with the ssh-copy-id command. Make sure to replace the example username and IP address below.
You can see below what all of this should look like:
Now you can go ahead and log into email@example.com and you will not be prompted for a password. However, if you set a passphrase, you will be asked to enter the passphrase at that time (and whenever else you log in in the future).
On Windows with PuttyHere is a great article at DigitalOcean that walks you through setting up SSH keys with Putty and Putty-Gen on Windows, as well as uploading that key to your server.
In short, download PuttyGen from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. Once downloaded, open it up, fill in the info and generate your key. Then you can upload that key into the correct place and you are good to go.
Locking Down Root Password LoginsNow that you have your SSH keys working (and CONFIRMED!), it would be good to not allow Root Password Logins on your server. That would make your server extremely secure, allowing no one to log in as root other than you, from your computer. Here's how you do that:
It's necessary to edit the server's SSHd configuration
/etc/ssh/sshdconfig and update the following line to now read:
PermitRootLogin without-passwordYou can do that with nano:
Now it's necessary to restart the sshd process to have it re-read the new configuration. This can be done via the following:
service sshd restart