How To Use SSH
Keys with DigitalOcean Droplets
Background
Note: This
guide is for Mac OS X and Linux users. If you are using Windows on your home
computer, follow this
guide instead.
Usually, when you
spin up your DigitalOcean droplets, you get an email as soon as the process
completes, letting you know the droplet’s IP address and password. Although
this email is very convenient, there is a more secure (and faster) way of
gaining access to your server without the need for email. This can be
done by setting up SSH keys.
The SSH keys are
a key pair made between your computer and the server that allows the server to
connect if it sees the matching key on the machine from which you are logging
in. While a password can eventually be cracked with a brute force attack, SSH
keys are nearly impossible to decipher by brute force alone.You can create new
DigitalOcean droplets with an SSH key already set up on them by adding your
computer’s SSH key to the control panel.
Step
One—Create the RSA Key Pair
The first step is
to create the key pair on the client machine (there is a good chance that this
will just be your computer):
ssh-keygen
-t rsa
Step Two—Store
the Keys and Passphrase
Once you have
entered the Gen Key command, you will get a few more questions:
Enter
file in which to save the key (/demo/.ssh/id_rsa):
You can press
enter here, saving the file to the user home (in this case, my example user is
called demo).
Enter
passphrase (empty for no passphrase):
It's up to you
whether you want to use a passphrase The entire key generation process looks
like this:
ssh-keygen
-t rsa
Generating
public/private rsa key pair.
Enter
file in which to save the key (/demo/.ssh/id_rsa):
Enter
passphrase (empty for no passphrase):
Enter
same passphrase again:
Your
identification has been saved in /demo/.ssh/id_rsa.
Your
public key has been saved in /demo/.ssh/id_rsa.pub.
The
key fingerprint is:
4a:dd:0a:c6:35:4e:3f:ed:27:38:8c:74:44:4d:93:67
demo@a
The
key's randomart image is:
+--[
RSA 2048]----+
| .oo.
|
| .
o.E |
| + .
o |
| . = = .
|
| = S = .
|
| o + = +
|
| . o + o .
|
| . o |
| |
+-----------------+
The public key is
now located in /demo/.ssh/id_rsa.pub The private key (identification) is now
located in /demo/.ssh/id_rsa
Step
Three—Copy the SSH Keys
Note: If
you would like to use the DigitalOcean API to add new SSH keys to your account,
please refer to the API
Documentation. Otherwise, continue reading.
Once you have
your SSH key set up, it is time to copy it into your control panel. Open the SSH Page and click on the Create
a New SSH Key button.
A popup should appear.
For the section
labeled "Name", write in the name of the machine that you created the
key pair on (eg. "Home Computer")
For the section
labeled "Public SSH Key", copy and paste the public key that you
created in Step 2.
You can usually
get this key by copying the results of:
cat ~/.ssh/id_rsa.pub
Click on Save.
Step Four—Spin
Up a New Server
The previous
steps have explained how to set up a server with pre-installed SSH keys.
You cannot,
however, use the control panel to add keys to already created droplets.
In order to add
additional keys to pre-existing droplets, you can paste in the keys using SSH:
cat
~/.ssh/id_rsa.pub | ssh root@[your.ip.address.here] "cat >> ~/.ssh/authorized_keys"
When actually
spinning up a new server, select the keys that you would like installed on your
server from the "Create a Droplet" screen. You can select as many
keys as you like:
Ssh key shorcut
Once you click on
the SSH key, the text saying, "Your root password will be emailed to
you" will disappear, and you will not receive an email confirmation that
your server has been created.
Step
Five—Connect to your Server
After you have
created your server with the SSH keys pre-installed, you can connect to it the
same way as before:
ssh
root@[your.ip.address.here]
However, now when
you connect from a machine that shares the key pair, there will be no need to
enter a password to log into the root user.
Host Key
Warning
If you happened
to destroy a droplet directly prior to creating the one that you are connecting
to, you may see a message like this:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS
CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT
IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone
could be eavesdropping on you right now (man-in-the-middle attack)!
It
is also possible that a host key has just been changed.
...
If this is the
case, your new droplet probably has the same IP address as the old, destroyed
droplet, but a different host SSH key. This is fine, and you can remove the
warning, by deleting the old droplet's host key from your system, by running
this command:
ssh-keygen
-R [your.ip.address.here]
Now try
connecting to your server again.
Step
Six—Lockdown Root SSH Access to Keys Only
After you have
confirmed that you can now login as root to the server without being prompted
for a password you can disable password logins for root. This makes your server
more secure since no one can brute force your SSH password.
It's necessary to
edit the server's SSHd configuration
/etc/ssh/sshd_config
and update the following line to now read:
PermitRootLogin
without-password
Now it's
necessary to restart or rehup the sshd process to have it re-read the new
configuration. This can be done via the following:
#
ps auxw | grep ssh
USER PID %CPU %MEM VSZ
RSS TTY STAT START TIME COMMAND
root 681
0.0 0.1 49948
2332 ? Ss 2012
3:23 /usr/sbin/sshd -D
#
kill -HUP 681
Now your server's
root login is protected and you can test this by trying to SSH directly as root
to this server from a system that doesn't have its keys shared and you will be
automatically kicked out without being prompted for a root password.
By Etel Sverdlov
No comments:
Post a Comment