Adding SSH keys to a server involves a few steps. SSH keys provide a secure way to authenticate and connect to a server without using passwords. Here’s a general guide:
Generate SSH Key Pair (if not already done):
If you don’t have an SSH key pair, you need to generate one. Open a terminal on your local machine and run the following command:
ssh-keygen -t rsa -b 4096 -C "[email protected]"
Replace "[email protected]"
with your actual email address. This command will create a new SSH key pair with a 4096-bit RSA key.
In the ssh-keygen
command, the -C
flag is used to associate a comment with the generated key. The comment is typically an informative label or identifier that helps you remember the purpose or owner of the key. In the specific command ssh-keygen -t rsa -b 4096 -C "[email protected]"
, the email address ([email protected]
) is provided as a comment for the generated SSH key.
While the comment is optional, adding a meaningful identifier, such as an email address, can be helpful for managing and identifying different SSH keys, especially if you have multiple keys for different purposes or services. It serves as a reminder of where or why the key was created. Additionally, when you share your public key with others (for example, when adding it to an authorized keys file on a server), having an informative comment can provide context to those who may be managing or reviewing the keys.
Generate SSH Keys without Comment
Alternatively, if you don’t want to use a comment, you can just ignore the -C
flag and run the following command:
ssh-keygen -t rsa -b 4096
This command generates a new RSA key pair with a key length of 4096 bits and does not include a comment. After running this command, you will be prompted to specify the file in which to save the generated key pair. By default, the private key is saved in ~/.ssh/id_rsa
and the public key in ~/.ssh/id_rsa.pub
.
Copy the Public Key to the Server
Use the following command to copy the public key to your server. Replace "your_username"
and "your_server_ip"
with your server’s username and IP address:
ssh-copy-id your_username@your_server_ip
Alternatively, if ssh-copy-id
is not available, you can manually copy the public key to the ~/.ssh/authorized_keys
file on the server. You can use tools like scp
or rsync
for this:
scp ~/.ssh/id_rsa.pub your_username@your_server_ip:~/
ssh your_username@your_server_ip
mkdir -p ~/.ssh
cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
rm ~/id_rsa.pub
Set Permissions
Make sure the permissions on the ~/.ssh
directory and the ~/.ssh/authorized_keys
file are secure:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
Disable Password Authentication (Optional)
For enhanced security, you can disable password authentication and only allow key-based authentication. Open the SSH server configuration file:
sudo nano /etc/ssh/sshd_config
Find the line PasswordAuthentication
and set its value to no
. Save the file and restart the SSH service:
sudo service ssh restart
How to Connect to SSH Server using Key-based Authentication
If your remote VPS server is already configured to accept incoming SSH connections, all you need is to have the Private key on your local computer to connect.
Your private key should be part of the pair you generated earlier. This key needs to be kept safe without compromising as losing it could prevent you from accessing your server again.
Connect to SSH Server
Use the ssh
command to connect to the SSH server. Replace "your_username"
and "your_server_ip"
with your actual username and server’s IP address:
ssh -i ~/.ssh/id_rsa your_username@your_server_ip
-i
: Specifies the identity file (private key) to use for authentication.~/.ssh/id_rsa
: Path to your private key file.your_username@your_server_ip
: SSH username and server IP address. If you’ve set up your SSH key with a passphrase, you’ll be prompted to enter it.
That’s it! If the private key matches a public key in the authorized_keys
file on the server, you should be able to connect without entering a password. This method provides a more secure and convenient way to authenticate compared to password-based authentication.