Since getting on a VPS with DigitalOcean, I wanted to do away with passwords, and connect using keys exclusively, to make the process as quick, and secure as possible.
As an introduction, the default way to connect to a server using SSH is with a username and password: a process that we’re all familiar with. However, passwords are inherently insecure, so servers running Linux can use keys for authentication instead of passwords, which is far more secure.
The process works by creating a pair of keys: the public key can be publicly shared, and is stored on the server. The private key is like your password and should be kept as secure as possible. It stays on your computer and works with the public key to create a secure connection between your machine and the server.
In this tutorial, I am using a Mac running OS X Mavericks and using Terminal to connect to my server, which is running Linux.
Creating SSH keys
The first step is to create the keys which will give you access to your server. This is done on your local machine, so don’t log in to your server yet. In Terminal, use the following command to create an SSH key pair:
Terminal will give you a few questions. The first of which asks you where to save your keys. This should be in the default location of /Users/yourusername/.ssh. You can enter any filename you like to help you distinguish it from other keys, so your response might be:
You’ll then be prompted for a passphrase. If you want to be extra secure, you can add a passphrase to your key. On the plus side, it adds an extra layer of security to your server if someone does happen upon your private key. On the negative, you have to enter the passphrase each time you connect to your server. I’m trying to avoid this, so I left it blank (just hit return twice).
The public (myfirstkey.pub) and private (myfirstkey) keys can now be found in the .ssh directory in your home directory. Note that .ssh is a hidden folder, so to find it, you may need to use Go > Go To Folder in Finder, and enter “~/.ssh” to go to that folder.
Copy the public key to your server
Now that you’ve established the keys, you need to copy the public key to your server. The best way to do this is to use the ssh-copy-id command, which puts everything in the right place and establishes the correct permissions for you. However, it isn’t installed by default on OS X, so we need to install it first. Enter the following two commands to install it (you’ll be asked for your sudo password, which is the password to your Mac user account):
Now you can use the ssh-copy-id command to copy the public key. If you use the standard port 22 for SSH connections to your server, your command will take the format:
However, if like me, you have changed the SSH port for security, you’ll need to use the following syntax:
Now your key has been added to the authorized_keys file on your server and the correct permissions have been set.
Establish an SSH config file
At this point you can connect to your server using your keys using a command like this:
However, I want to take it a step further and make it even easier for you so that you don’t have to remember the name of your keys, nor your server’s IP address.
To do this, we’re going to create an SSH config file. Back in Terminal, make sure you are logged into your local machine (not your server – use the logout command if you are logged in) and use the following command to create and edit your SSH config file:
If the file didn’t exist before, you’ll see a blank page. Otherwise, you can add this information below anything already existing in this file. This information below sets a memorable name for your server and saves all of the connection information, like the key, port, username and host name so that you don’t have to enter it every time you want to connect.
Now, you can very easily log in to your server with the simplest of commands:
Disabling password access
Once you are certain that you have got your keys working as they should, you should disable password authentication as a means to access your server: there’s no sense in using keys if hackers can still access your server using your password.
Log in to your server and use the following command to edit your server’s SSH config file:
Look for the following settings and change the values to match those below: note that these lines may not be next to one another in the file:
Finally, reload SSH for the settings to take effect:
You’re done. You can now quickly access your server without having to memorise your server details, and passwords have been disabled for maximum security.