SSH Keys are a more secure method for authenticating with a Linux server than traditional password authentication methods. One of the biggest disadvantages of passwords are that they are susceptible to brute force attacks. When an SSH key is configured correctly, you'll be able to log into your servers much more easily without the need to enter a password.
As a user, you can generate a public/private key pair and then place the public half of the key on a remote system. That remote system is then able to authenticate you, or prove that you are really you, and allow you to login just by having you demonstrate that you have access to the private half of the key pair. This is done at the protocol level inside SSH and all happens automatically.
The steps below will demonstrate how to manage your stored SSH keys within our Control Panel so you can automatically add them to new servers that you provision. Existing servers will still need SSH keys to be manually added and updated, with the exception of our Cloud Container platform which automatically updates new SSH Keys.
The first thing you need to do is generate a key pair using the ssh-keygen tool which should be present on any Unix-based system with OpenSSH installed. This step should be completed on your local computer:
sitehost@sitehost:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/sitehost/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/sitehost/.ssh/id_rsa.
Your public key has been saved in /home/sitehost/.ssh/id_rsa.pub.
The key fingerprint is:
ad:8a:e5:55:03:ec:01:5a:7f:83:4c:1f:c2:43:8d:8b sitehost@sitehost
The key's randomart image is:
+--[ RSA 2048]----+
| o oo..+ |
|.= o . o . |
|+.= . o . |
|oo o . o + |
|..o . o S . |
| . . . . . |
| . |
| . |
| E |
+-----------------+
In the above step, ssh-keygen will have generated your public key and placed it in a file named id_rsa.pub at the location specified. If we examine the contents of this file, you'll see that it's just a big block of numbers and letters. You'll need to select the entire contents of this file and copy it to your clipboard so that it can be pasted into the SiteHost Control Panel.
sitehost@sitehost:~$ cat /home/sitehost/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDVnek6DyVwOntNSHMV36SrnQ5JsMv3WKDZs2dkFLgoqq4KQtzcx3vBJ9KaSo+jLDTNdqj0IMHrjM3R+UMCJDZv+R09pTQ+820IEQ2yv0jXHGMQu2pjdgdf3F6ILwb7zO4eJFQk0cK+wIDRqa7pI70tvsksk5d8O1R5DbR+Xq06D0zjispsSxXCFSMC1/veSDV+L4u/kd+dK4XU/wkmzPg5W6r/djZgS39MAP998SrhqtOzpIWlF5UD7O8GfOJs6MWZdoKplY6jxXRpPwW4/PG+zIG0tpa81l5MzDdNQ4b0YURyEre5hkjDKMunHS8LaIkdmxyparmRgA1ilgsbtTGbTPjbtNLSbfIi83yBZvS3UCIZCvTj7I2MKcWlijBK9CziM5oU4ZchbRd8S5W/YbsAfaeLPl0/RHrdQalW636lK78zEkpu09brh51/LyQbl/Fn3tn6hzbcxfdaIrV3/zhjw7cVxG4RBNUwJ+8DHAM1PpFHZqgZE8TQ7ak33n2BygW0ukvB4rF7rO6xiPfpsuisZi0+UjKqhcoQnMB+cfGqTuQOD8aUv0oeX+HubavdIjZKFK43bcJF6EAdr6wYQUdcKdsXr6NsJSHNBQaNz3efNvswTgUfvhkE7qy9zrI9vCSg15ELFA01WqzjCBFDetiGi4BbcZLizJKPD7YzA172WQ== sitehost@sitehost
Once you have logged into the SiteHost Control Panel, navigate to the 'SSH Keys' module using the left menu and click 'Add SSH Key' to add a new SSH key to your account. You can now paste the contents of your public key file into the dialog that appears and click the add button. You should now see your SSH key listed. The fingerprint can be used to verify the key and should match the one you received from ssh-keygen in the first step.
When provisioning a server, you will now see a list of your SSH keys. Each SSH key that you tick will be automatically deployed onto the newly provisioned server.
Once you have ensured that you are able to log in using your SSH key, you may wish to go ahead and restrict login for the root user to only be permitted via an SSH key.
On your server, edit the OpenSSH daemon configuration in a plain text editor of your choice, for example using vim:
vim /etc/ssh/sshd_config
Locate the line for the 'PermitRootLogin' option and modify it to ensure that users can only connect with their SSH key:
PermitRootLogin without-password
Alternatively, you may wish to disable password authentication for all users by modifying the 'PasswordAuthentication' option:
PasswordAuthentication no
Save any changes to the configuration file and then reload SSH to put changes into effect:
service ssh reload
We recommend starting a new SSH session to your server before terminating your current session to ensure that the configuration changes made above haven't locked you out.
Disabling password authentication for the root user will not affect your ability to log in using a password via the Console feature in our Control Panel.