Overview
An SSH key will let you automatically log into your server from one particular computer without needing to enter your password. This is convenient if you make frequent SSH and scp connections to your server.
READ ME FIRST
This article is provided as a courtesy. Installing, configuring, and troubleshooting SSH keys is outside the scope of support provided by Media Temple. Please take a moment to review the Statement of Support.
Results
You will create an SSH key on your computer, and then configure your server to accept it. This will allow you to automatically log into your server from this computer, without being prompted for your password.
CAUTION:
Please do not set up an SSH key on a public or shared computer that does not use individual profiles. This will allow strangers to easily access your server.
Requirements
- SSH configured for a user on your server:
- SSH on your local computer: this walkthrough is for Linux/Unix computers, including Mac OS X. See the note at the end of this article for extended PuTTY instructions (for Windows computers).
- A previous SSH connection made from this computer. If you haven't ever used this computer to log into another server with SSH, please do so now. A simple login will suffice to generate the correct files on your local computer. See the previous links for instructions.
Instructions
1. This step is run on your remote server. Log in to your server via SSH with your Server Administrator user and execute the following command:
mkdir ~/.ssh/ && touch ~/.ssh/authorized_keys 1. This step is run on your remote server. Make the initial SSH connection as the root user and change to the home directory for the user you are creating the key for, then create the .ssh directory. File paths for user's home directories can be found in /etc/passwd.
cd /path/to/users/directory && mkdir .ssh1. This step is run on your remote server. Log in to your server via SSH with your Server Administrator user and execute the following command:
mkdir ~/.ssh/ && touch ~/.ssh/authorized_keys
2. This step is run on your local computer. Generate a key on your local computer, using strong encryption:
ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa -C "Enter an optional comment about your key"The default directory and name for new keys is ~/.ssh/id_rsa, and this is where SSH will look for your keys. If you change the directory or name, you will have to specify this when connecting.
- VPS/Dedicated:
ssh root@server -i /path/to/my_key
- Grid users:
ssh [email protected] -i /path/to/my_key
You should receive a prompt similar to the following. Please use a strong password. If you plan on using your key for automated tasks that don't require interaction, such as rsync, you might want to leave this blank:
Enter passphrase (empty for no passphrase)Once you have entered your password twice, you should see output similar to:
Your identification has been saved in /Users/username/.ssh/id_rsa.Your public key has been saved in /Users/username/.ssh/id_rsa.pub.The key fingerprint is:60:b5:c1:b7:ee:ab:31:d1:70:d8:03:41:df:0f:08:eb Enter an optional comment about your keyThe key's randomart image is:+--[ RSA 2048]----+| .=. || . B o || X B o || o X o o || E S . || o || o . || + || ..o. |+-----------------+3. This step is run on your local computer. Make sure your .ssh directory and the files it contains have the correct permissions:
chmod 700 ~/.ssh && chmod 600 ~/.ssh/*4. This step is run on your local computer. Upload your public key to your server. The command below reads the content of the key you just created on your computer, and appends that key to the authorized_keys file on your server. If you don't have an existing authorized_keys file, it creates one. Replace example.com with your domain:
cat ~/.ssh/id_rsa.pub | ssh [email protected] 'cat - >> ~/.ssh/authorized_keys'4. This step is run on your local computer. Upload your public key to your server. The command below reads the content of the key you just created on your computer, and appends that key to the authorized_keys file on your server. If you don't have an existing authorized_keys file, it creates one. Replace example.com with your domain:
cat ~/.ssh/id_rsa.pub | ssh [email protected] 'cat - >> ~/.ssh/authorized_keys'4. This step is run on your local computer. Upload your public key to your server. The command below reads the content of the key you just created on your computer, and appends that key to the authorized_keys file on your server. If you don't have an existing authorized_keys file, it creates one. Remember to replace the username and hostname with your connection info:
cat ~/.ssh/id_rsa.pub | ssh [email protected] 'cat - >> ~/.ssh/authorized_keys'5. This step is run on your remote server. Make sure you're logged in as the user for whom the key was created. Then, ensureyour .ssh directory on the server, and the files it contains, have the correct permissions:
chmod 600 ~/.ssh/authorized_keys && chmod 700 ~/.ssh/That's it! You should now be able to log into your server from this computer without being prompted for a password.
Troubleshooting
On your remote server, run the following:
ls -la ~/.ssh | grep "authorized_keys"You should see output similar to the following:
-rw------- 1 example.com example.com 398 Jul 15 10:32 authorized_keysNote that the directory needs to include the file called "authorized_keys" with -rw------- (600) permissions.
Finally, run this command to check the permissions on your .ssh directory:
ls -la ~ | grep ".ssh"drwx------ 2 example.com example.com 3 Jul 15 10:32 .sshYou should have a folder called ".ssh" with drwx------ (700) permissions.
If for either of these tests, you get blank output, or a message similar to the following:
ls: /root/.ssh: No such file or directoryPlease repeat Steps 1 and 4-5 above.
Creating an SSH key in PuTTY
Requirements
- PuTTY
- PuTTYgen
- Pageant
Generate the Key
Run PuTTYgen.exe.
Click "Generate" and move your mouse.
Once the key is generated, enter your key passphrase. Be sure to use a strong password; read our guide here.
Then click 'Save public key' and 'Save private key.'
Select & configure your user
Let's choose a user for which to create the SSH key. In our example, the user is "thatguy" for "mt-example.com." This is an already existing FTP user with SSH access.
Connect to your DV server as the root user.
su thatguycd /var/www/vhosts/mt-example.commkdir .sshchmod 700 .sshcd .sshvi authorized_keys2Cut and paste on one line your public ssh key.
It should look similar to the following:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBvo93MZvQS8gtB5+fy8yPT+6SrZfJAA4C4lJYydp/f8KfXTU303xLiTSrXcwDOSUykBi7DVdloOIpZQtQOFJMEwXx+wMWausxp0T5W//pfMfYTg4ZDDQ
wWG4bUAl+l6pFDwQwEtm2KN6C4lyfJNMDNqdtjqw9/HvAfO5xoyceQ==You will want to protect the file and change its owner to the user in question. In this case, it will be 'thatguy.'
chmod 600 authorized_keys2chown thatguy:psacln .sshAdd the private key
Run Pageant.exe.
This application runs in the background. When it loads, it should be displayed in your tray.
Right click the icon and click on "Add Key."
Connect using your SSH key with PuTTY
Open PuTTY and connect as "[email protected]."
Since Pageant.exe has your passphrase stored, you connect without entering your password:
Creating an SSH key in PuTTY
Requirements
- PuTTY
- PuTTYgen
- Pageant
Generate the Key
Run PuTTYgen.exe.
Click "Generate" and move your mouse.
Once the key is generated, enter your key passphrase. Be sure to use a strong password; read our guide here.
Then click 'Save public key' and 'Save private key.'
Select & configure your user
Let's choose a user for which to create the SSH key. In our example, the user is "thatguy" for "mt-example.com." This is an already existing FTP user with SSH access.
Connect to your Grid server as the Server Admin.
mkdir .sshchmod 700 .sshcd .sshvi authorized_keys2Cut and paste on one line your public ssh key.
It should look similar to the following:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBvo93MZvQS8gtB5+fy8yPT+6SrZfJAA4C4lJYy
dp/pf8KfXTU303xLiTSrXcwDOSUykBi7DVdloOIpZQtQOFJMEwXx+wMWausxp0T5W//pfMfZ
YTg4ZDDQwWG4bUAl+l6pFDwQwEtm2KN6C4lyfJNMDNqdtjqw9/HvAfO5xoyceQ==Now protect the file using chmod.
chmod 600 authorized_keys2
Add the private key
Run Pageant.exe.
This application runs in the background. When it loads, it should be displayed in your tray.
Right click the icon and click on "Add Key."
Connect using your SSH key with PuTTY
Open PuTTY and connect as s00000.gridserver.com (Remember to replaces00000 with your site number.)
Since Pageant.exe has your passphrase stored, you connect without entering your password:
Resources
- For more information on OpenSSH and the ssh-keygen command, please see the OpenSSH website.
- Using an SSH Configuration File
