Using SSH keys on your server
READ ME FIRST
This article is provided as a courtesy. Installing, configuring, and troubleshooting SSH keys is outside the scope of support provided by (mt) Media Temple. Please take a moment to review the Statement of Support.
An SSH key will let you automatically log into your server from one particular computer without needing to enter your password. This is convenient if you make frequent SSH and scp connections to your server.
You will create an SSH key on your computer, and then configure your server to accept it. This will allow you to automatically log into your server from this computer, without being prompted for your password.
Please do not set up an SSH key on a public or shared computer that does not use individual profiles. This will allow strangers to easily access your server.
- SSH configured for a user on your server:
- SSH on your local computer: this walkthrough is for Linux/Unix computers, including Mac OS X. See the note at the end of this article for extended PuTTY instructions (for Windows computers).
- A previous SSH connection made from this computer. If you haven't ever used this computer to log into another server with SSH, please do so now. A simple login will suffice to generate the correct files on your local computer. See the previous links for instructions.
- This step is run on your remote server.
Grid: Log into your server via SSH with your Server Administrator user and execute the following command:
DV: Make the initial SSH connection as the root user and change to the home directory for the user you are creating the key for, then create the .ssh directory:
cd /path/to/users/directory && mkdir .ssh
- This step is run on your local computer. Generate a key on your local computer, using strong encryption:
ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa -C "Enter an optional comment about your key"
You should receive a prompt similar to the following. Please use a strong password. If you plan on using your key for automated tasks that don't require interaction, such as rsync, you might want to leave this blank:
Enter passphrase (empty for no passphrase)
Once you have entered your password twice, you should see output similar to:
Your identification has been saved in /Users/username/.ssh/id_rsa. Your public key has been saved in /Users/username/.ssh/id_rsa.pub. The key fingerprint is: 60:b5:c1:b7:ee:ab:31:d1:70:d8:03:41:df:0f:08:eb Enter an optional comment about your key The key's randomart image is: +--[ RSA 2048]----+ | .=. | | . B o | | X B o | | o X o o | | E S . | | o | | o . | | + | | ..o. | +-----------------+
- This step is run on your local computer. Make sure your .ssh directory and the files it contains have the correct permissions:
chmod 700 ~/.ssh && chmod 600 ~/.ssh/*
- This step is run on your local computer. Upload your public key to your server. The command below reads the content of the key you just created on your computer, and appends that key to the authorized_keys file on your server. If you don't have an existing authorized_keys file, it creates one. Replace example.com with your domain:
cat ~/.ssh/id_rsa.pub | ssh email@example.com 'cat - >> ~/.ssh/authorized_keys'
- This step is run on your remote server. Make sure you're logged in as the user for whom the key was created. Then, ensure your .ssh directory on the server, and the files it contains, have the correct permissions:
chmod 600 ~/.ssh/authorized_keys && chmod 700 ~/.ssh/
That's it! You should now be able to log into your server from this computer without being prompted for a password.
On your remote server, run the following:
ls -la ~/.ssh | grep "authorized_keys"
You should see output similar to the following:
-rw------- 1 example.com example.com 398 Jul 15 10:32 authorized_keys
Note that the directory needs to include the file called "authorized_keys" with -rw------- (600) permissions.
Finally, run this command to check the permissions on your .ssh directory:
ls -la ~ | grep ".ssh"
drwx------ 2 example.com example.com 3 Jul 15 10:32 .ssh
You should have a folder called ".ssh" with drwx------ (700) permissions.
If for either of these tests, you get blank output, or a message similar to the following:
ls: /root/.ssh: No such file or directory
Please repeat Steps 1 and 4-5 above.
Creating an SSH key in PuTTY
Generate the Key
Click "Generate" and move your mouse.
Once the key is generated, enter your key passphrase. Be sure to use a strong password; read our guide here.
Then click 'Save public key' and 'Save private key.'
Select & configure your user
Let's choose a user for which to create the SSH key. In our example, the user is "thatguy" for "mt-example.com." This is an already existing FTP user with SSH access.
Connect to your DV server as the root user.
su thatguy cd /var/www/vhosts/mt-example.com mkdir .ssh chmod 700 .ssh cd .ssh vi authorized_keys2
Cut and paste on one line your public ssh key.
It should look similar to the following:
You will want to protect the file and change its owner to the user in question. In this case, it will be 'thatguy.'
chmod 600 authorized_keys2 chown thatguy:psacln .ssh
Add the private key
This application runs in the background. When it loads, it should be displayed in your tray.
Right click the icon and click on "Add Key."
Connect using your SSH key with PuTTY
Open PuTTY and connect as "firstname.lastname@example.org."
Since Pageant.exe has your passphrase stored, you connect without entering your password:
- For more information on OpenSSH and the ssh-keygen command, please see the OpenSSH website.