Add SSH Key to Server: A Comprehensive Guide for Enhanced Security

Updated on February 7, 2025

Justin Ellingwood, Brian Boucheron, and Anish Singh Walia

English

Introduction to SSH Keys and Server Security

Secure Shell (SSH) is the backbone of secure server administration, providing an encrypted channel for communication. For Linux server management, SSH is indispensable, and understanding how to enhance its security is paramount. While password authentication is the most basic method to access your server, it’s also the most vulnerable. This guide will delve into a more robust and secure method: adding SSH keys to your server.

SSH keys offer a significantly more secure alternative to passwords, becoming the recommended standard for safeguarding your server access. This tutorial provides a step-by-step walkthrough on how to create SSH keys and implement them on your Linux server, bolstering your server’s defenses against unauthorized access.

Simplify your server management and application deployment with robust security. Explore solutions like DigitalOcean App Platform for streamlined, secure deployments directly from your GitHub repositories.

Understanding How SSH Keys Work for Server Authentication

SSH keys operate on the principles of public-key cryptography, offering a more secure authentication process compared to traditional passwords. Password authentication, while seemingly straightforward, is susceptible to brute-force attacks and password compromise. Even with security measures like fail2ban, SSH keys provide a superior layer of security.

SSH key authentication relies on a pair of keys: a private key and a public key. These keys are cryptographically linked but serve distinct purposes.

The private key is your secret, stored securely on your local machine. It’s crucial to protect your private key rigorously, as its compromise grants unauthorized access to your servers. For enhanced security, private keys can be encrypted with a passphrase.

The public key, on the other hand, can be freely distributed. It’s designed to encrypt messages that only the corresponding private key can decrypt. In SSH authentication, the public key is placed on the server, enabling the server to verify the client’s identity based on possession of the private key.

To enable SSH key authentication, the public key must be uploaded to the ~/.ssh/authorized_keys file within the user account on your server. When you attempt to connect via SSH using keys, the server challenges your client to prove ownership of the private key corresponding to the uploaded public key. Successful verification grants you access to a shell session or executes the command you requested, all without the need for passwords.

Step 1 — Generating Your SSH Key Pair

The first step in adding SSH key authentication to your server involves generating an SSH key pair on your local machine. This is accomplished using the ssh-keygen utility, a standard tool in the OpenSSH suite. By default, ssh-keygen generates a 3072-bit RSA key pair, providing a strong level of security.

Open your terminal on your local computer and execute the following command:

ssh-keygen

<div title="Output">Output</div>Generating public/private rsa key pair. Enter <span>file</span> <span>in</span> <span>which</span> to save the key <span>(</span>/home/<mark>username</mark>/.ssh/id_rsa<span>)</span>:

You will be prompted to specify a location for saving the generated keys. The default location, ~/.ssh directory within your user’s home directory, is generally recommended. This default ensures that your SSH client automatically detects your keys during authentication attempts. The private key will be named id_rsa, and the public key will be id_rsa.pub.

Press ENTER to accept the default location, or specify a custom path if you prefer a non-standard location.

If you have previously generated SSH keys, you might encounter a prompt asking whether to overwrite existing keys:

<div title="Output">Output</div>/home/<mark>username</mark>/.ssh/id_rsa already exists. Overwrite <span>(</span>y/n<span>)</span>?

Be cautious when choosing to overwrite, as this action is irreversible and will invalidate your previous key pair. Select ‘yes’ only if you are certain you want to replace your existing keys.

<div title="Output">Output</div>Created directory <span>'/home/<mark>username</mark>/.ssh'</span><span>.</span> Enter passphrase <span>(</span>empty <span>for</span> no passphrase<span>)</span>: Enter same passphrase again:

Next, you’ll be prompted to enter a passphrase. This passphrase serves as an extra layer of security, encrypting your private key on disk. While optional, a passphrase is highly recommended to protect your private key from unauthorized use, especially if your local system security is compromised.

Even with a passphrase, SSH keys offer significant security advantages:

• Private Key Protection: Your private SSH key is never transmitted over the network. The passphrase is used solely to decrypt the key locally, preventing network-based brute-force attacks on your passphrase.
• Restricted Access: Private keys are stored in restricted directories with tight permissions (read/write for the owner only). This prevents other users on your system from accessing your private key.
• Defense Against System Compromise: If an attacker gains access to your local system, the passphrase provides a crucial delay, potentially allowing you to revoke the compromised key and issue a new one before they can access your servers.

If you choose to set a passphrase, you will be required to enter it each time you use the key, unless you utilize SSH agent software to manage your decrypted keys. For enhanced security, it’s advisable to use a strong passphrase. However, if convenience is prioritized, you can bypass the passphrase prompt by pressing ENTER.

<div title="Output">Output</div>Your identification has been saved <span>in</span> /home/<mark>username</mark>/.ssh/id_rsa. Your public key has been saved <span>in</span> /home/<mark>username</mark>/.ssh/id_rsa.pub. The key fingerprint is: SHA256:CAjsV9M/tt5skazroTc1ZRGCBz+kGtYUIPhRvvZJYBs <mark>username</mark>@<mark>hostname</mark> The key's randomart image is: +---<span>[</span>RSA <span>3072</span><span>]</span>----+ <span>|</span>o <span>..</span>oo.++o <span>..</span> <span>|</span> <span>|</span> o o +o.o.+<span>..</span>. <span>|</span> <span>|</span><span>.</span> <span>.</span> + oE.o.o <span>.</span> <span>|</span> <span>|</span> <span>.</span> <span>.</span> oo.B+ .o <span>|</span> <span>|</span> <span>.</span> .<span>=</span>S.+ + <span>|</span> <span>|</span> <span>.</span> o<span>..</span>* <span>|</span> <span>|</span> .<span>+=</span> o <span>|</span> <span>|</span> .<span>=</span>.+ <span>|</span> <span>|</span> .oo+ <span>|</span> +----<span>[</span>SHA256<span>]</span>-----+

You now possess a public and private key pair ready for SSH authentication. The next crucial step is to upload your public key to your server.

Generating an SSH key pair using the ssh-keygen command in a Linux terminal.

Step 2 — Uploading Your SSH Public Key to the Server

Note: For DigitalOcean users, instructions for adding SSH public keys to your DigitalOcean account are available in the SSH Keys section of DigitalOcean product documentation.

There are several methods to transfer your public key to your remote server. The most suitable method depends on your current access and available tools. We’ll cover three methods, starting with the simplest and most automated, ssh-copy-id, followed by SSH method and manual copy for scenarios where ssh-copy-id isn’t available or password-based SSH is not enabled yet.

Method 1: Using ssh-copy-id for Public Key Transfer

The ssh-copy-id utility is the easiest and most recommended method for copying your public key to a server, provided it’s available on your local system and you have password-based SSH access to your server. It’s often included in OpenSSH packages in many Linux distributions.

To use ssh-copy-id, you need to specify the remote host and the user account you wish to access. This is the account where your public key will be installed.

The command syntax is:

ssh-copy-id <mark>username</mark>@<mark>remote_host</mark>

Upon execution, you might see a host authenticity prompt:

<div title="Output">Output</div>The authenticity of <span>host</span> <span>'203.0.113.1 (203.0.113.1)'</span> can't be established. ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe. Are you sure you want to <span>continue</span> connecting <span>(</span>yes/no<span>)</span>? <span>yes</span>

This prompt appears when connecting to a new host for the first time. Type yes and press ENTER to proceed.

ssh-copy-id will then scan your local account for the id_rsa.pub key and prompt you for the password of the remote user account:

<div title="Output">Output</div>/usr/bin/ssh-copy-id: INFO: attempting to log <span>in</span> with the new key<span>(</span>s<span>)</span>, to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: <span>1</span> key<span>(</span>s<span>)</span> remain to be installed -- <span>if</span> you are prompted now it is to <span>install</span> the new keys <mark>username</mark>@<mark>203.0.113.1</mark>'s password:

Enter the password for the remote user (your input will be hidden) and press ENTER. The utility will establish an SSH connection using password authentication and copy the contents of your ~/.ssh/id_rsa.pub file to the ~/.ssh/authorized_keys file on the remote server.

Successful execution will display an output similar to:

<div title="Output">Output</div>Number of key<span>(</span>s<span>)</span> added: <span>1</span> Now try logging into the machine, with: <span>"ssh '<mark>username</mark>@<mark>203.0.113.1</mark>'"</span> and check to <span>make</span> sure that only the key<span>(</span>s<span>)</span> you wanted were added.

Your public key is now successfully uploaded, and you can proceed to the next step.

Method 2: Using SSH to Copy Your Public Key

If ssh-copy-id is not available, but you have password-based SSH access, you can use a standard SSH command to upload your public key. This method involves piping the content of your public key file over SSH and appending it to the authorized_keys file on the remote server.

The command is as follows:

<span>cat</span> ~/.ssh/id_rsa.pub <span>|</span> <span>ssh</span> <mark>username</mark>@<mark>remote_host</mark> <span>"mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"</span>

Similar to ssh-copy-id, you might encounter the host authenticity prompt for new hosts. Type yes and press ENTER to continue.

You will then be prompted for the remote user’s password:

<div title="Output">Output</div><mark>username</mark>@<mark>203.0.113.1</mark>'s password:

After entering the password, the content of your public key will be appended to the authorized_keys file on the remote server.

Method 3: Manual Public Key Copy

In situations where password-based SSH access is unavailable, or you prefer a manual approach, you can copy your public key manually. This involves retrieving the content of your public key file and manually adding it to the authorized_keys file on the remote server.

First, display the content of your public key file on your local machine using:

<span>cat</span> ~/.ssh/id_rsa.pub

This will output the public key, which looks similar to:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1Rfz3K2B+ZVIpSDfki9UVKzT8JUmwW6NNzSgxUfQHGwnW7kj4jp4AT0VZk3ADw497M2G/12N0PPB5CnhHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o8U77+xiFxgI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/zkOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/2FWYepz6ZlN70bRly57Q06J+ZJoc9FfBCbCyYH7U/ASsmY095ywPsBo1XQ9PqhnN1/YOorJ068foQDNVpm146mUpILVxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/lERo9oxRm5JFX6TCmj6kmiFqv+Ow9gI0x8GvaQ<span>==</span> username@hostname

Access your remote server through any available method, such as a web-based console provided by your hosting provider.

Note: DigitalOcean Droplet users can utilize the Recovery Console for server access in such cases.

Once logged into your server, ensure the ~/.ssh directory exists. Create it if necessary using:

<span>mkdir</span> <span>-p</span> ~/.ssh

Then, create or append to the authorized_keys file within the ~/.ssh directory. Use the following command, replacing <mark>public_key_string</mark> with the output from the cat ~/.ssh/id_rsa.pub command you ran earlier:

<span>echo</span> <mark>public_key_string</mark> <span>>></span> ~/.ssh/authorized_keys

After successfully adding your public key using any of these methods, proceed to test your SSH key authentication.

Illustrating the process of copying an SSH public key to a remote server.

Step 3 — Authenticating to Your Server with SSH Keys

After uploading your public key, you should be able to log in to your server using SSH keys instead of passwords.

Attempt to connect to your server using the standard SSH command:

<span>ssh</span> <mark>username</mark>@<mark>remote_host</mark>

If this is your first connection using keys, you might see the host authenticity verification prompt again. Type yes and press ENTER.

If you did not set a passphrase for your private key, you will be logged in immediately. If you used a passphrase, you will be prompted to enter it. Upon successful authentication, you’ll gain access to a shell session on your server.

If you successfully logged in without a password, SSH key authentication is properly configured. For enhanced security, proceed to disable password authentication.

Step 4 — Disabling Password Authentication for Enhanced Security

With SSH key authentication successfully configured, disabling password authentication further strengthens your server’s security by eliminating a major attack vector – brute-force password attacks.

Important: Before disabling password authentication, ensure you have SSH key-based authentication working for the root account or an account with sudo privileges. Losing password-based login without working key-based login can lock you out of your server.

Once you’ve verified key-based login, log in to your server via SSH keys as root or a sudo-enabled user. Open the SSH daemon configuration file:

<span>sudo</span> <span>nano</span> /etc/ssh/sshd_config

Within the file, locate the PasswordAuthentication directive. It might be commented out (preceded by #). Uncomment the line by removing # and set its value to no:

/etc/ssh/sshd_config

PasswordAuthentication no

Save the file and exit the editor. To apply these changes, restart the SSH service:

<span>sudo</span> systemctl restart <span>ssh</span>

Password authentication is now disabled, and your server will only accept SSH key-based logins, significantly improving its security posture.

Utilizing Hardware Security Modules (HSMs) for SSH Key Storage

For organizations requiring the highest levels of security, Hardware Security Modules (HSMs) provide an additional layer of protection for SSH keys. HSMs are tamper-resistant hardware devices that store private keys securely, preventing them from being exposed even if the server is compromised.

Implementing HSMs for SSH Authentication

1. HSM Compatibility Check: Verify that your HSM supports SSH authentication and PKCS#11 standards.

2. PKCS#11 Module: Load your HSM with a compatible PKCS#11 module. PKCS#11 facilitates secure access to cryptographic tokens like HSMs.

3. Generate Key on HSM: Generate the SSH key directly on the HSM instead of using ssh-keygen locally:

   ssh-keygen <span>-D</span> /usr/lib/opensc-pkcs11.so <span>-s</span> user-hsm-key

4. Extract Public Key: Extract the public key from the HSM:

   ssh-keygen <span>-D</span> /usr/lib/opensc-pkcs11.so <span>-e</span> <span>></span> ~/.ssh/id_hsm.pub

   Add id_hsm.pub to the authorized_keys file on your server.

5. Configure SSH for HSM: Add the following to your SSH configuration file ~/.ssh/config:

   Host * IdentityAgent /run/user/1000/gnupg/S.gpg-agent.ssh

   SSH will now utilize the hardware-backed key for authentication.

Advantages of HSMs for SSH Key Management

• Superior Security: Private keys remain within the HSM, never exposed in software.
• Theft Protection: Keys are secure even if the system is physically stolen or compromised.
• Compliance Readiness: HSMs aid in meeting stringent security compliance standards in regulated sectors.

Frequently Asked Questions (FAQs)

1. How do I generate an SSH key on Linux?

Use the ssh-keygen command in your Linux terminal. The following command generates a 4096-bit RSA key pair with an email identifier:

ssh-keygen <span>-t</span> rsa <span>-b</span> <span>4096</span> <span>-C</span> <span>"[email protected]"</span>

For a detailed guide, refer to How To Set Up SSH Keys.

2. What is ssh-keygen in Linux environments?

ssh-keygen is a command-line utility for creating, managing, and converting SSH keys, essential for secure remote access. Learn more in How to Create SSH Keys with OpenSSH on macOS or Linux.

3. How to generate an SSH-2 RSA key on Linux systems?

SSH-2 is the current standard for SSH. Generate an SSH-2 RSA key using:

ssh-keygen <span>-t</span> rsa <span>-b</span> <span>4096</span>

For more details on adding SSH keys, consult How to Add SSH Keys.

4. What constitutes a valid SSH key?

A valid SSH key should:

• Employ strong key types like RSA (4096-bit) or Ed25519.
• Ensure secure storage and protection of the private key.
• Utilize a passphrase for enhanced security.
• Avoid weak algorithms like DSA.

For in-depth information on SSH security, see Understanding the SSH Encryption and Connection Process.

5. How to generate an SSH key directly from the terminal?

Execute the command:

ssh-keygen

This generates a public and private key pair, typically stored in ~/.ssh/.

6. How is a private key generated?

The ssh-keygen command automatically generates the private key alongside the public key. The private key is usually located at ~/.ssh/id_rsa or ~/.ssh/id_ed25519 for newer standards. Protect this file and never share it.

7. What distinguishes public and private SSH keys?

Key Type	Description	Usage
Public Key	Used for encryption; shareable.	Authenticates users to the server.
Private Key	Used for decryption; must be kept secret.	Decrypts data encrypted with the corresponding public key.

8. How can password authentication be disabled on a Linux server?

Improve security by disabling password authentication. Edit the SSH configuration file:

<span>sudo</span> <span>nano</span> /etc/ssh/sshd_config

Modify the line:

PasswordAuthentication <mark><span>yes</span></mark>

To:

PasswordAuthentication <mark>no</mark>

Then restart SSH:

<span>sudo</span> systemctl restart <span>ssh</span>

For detailed instructions, see How to Create SSH Keys with OpenSSH on macOS or Linux.

Conclusion: Secure Your Server with SSH Keys

You have now successfully configured SSH key-based authentication on your server, enabling password-less logins and significantly enhancing your server’s security. Expanding your SSH knowledge can further improve your server management skills. Explore our SSH essentials guide to delve deeper into working with SSH.

Adding SSH Keys to your DigitalOcean virtual machines is streamlined and simple, whether for new or existing instances.

Learn more here

About the author(s)

Justin Ellingwood

See author profile

Brian Boucheron

See author profile

Category: Tutorial

Tags: Linux Basics, Security, System Tools, Getting Started

Share to X (Twitter)Share to FacebookShare to LinkedInShare to YCombinator

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?

Share to X (Twitter)Share to FacebookShare to LinkedInShare to YCombinator

This work is licensed under a Creative Commons Attribution-NonCommercial- ShareAlike 4.0 International License.