SSH delivers a secure channel over an unsecured network in a client-server architecture, connecting an SSH client with an SSH server. Creating an SSH key set provides you with a public and a private key. You can place the public key on any server, and then unlock it by connecting to it with a client that already has the private key you created on it. When the SSH key sets match up, the system unlocks without the need for a password.
Information security starts with controlling access to systems and data. No control over access means no security, no privacy, and no reliability.
Note: SSH keys created before November 7th, 2018 work solely for US data centers. To use a key viable for all data centers, create a new key.
Topics
- Creating SSH Keys
- Adding SSH Keys to Your Server
- Adding Additional Authorized Keys to Your Server
- Removing Authorized Keys from Your Server
- Storing Your Public Keys in the OVHcloud Manager
Creating SSH Keys
On your Mac or Linux machine, open Terminal.
Note: If you are using a Windows OS to SSH into a server, you will need to download third-party software as Windows does not allow SSH by default.
Verify that you have a .ssh folder in your $HOME directory. If the folder does not exist, create it:
$ mkdir ~/.ssh
Change your working directory to the .ssh directory and use the following command to generate an ED25519 SSH key pair:
$ ssh-keygen -t ed25519 -a 256
The "-t" in this command tells your computer what encryption type to use for the SSH key. If you would like to use a different encryption type, replace the "ed25519" with whichever encryption you choose.
Note: If you would like to store an SSH key in the OVHcloud Manager, you will only be able to use ED25519, RSA, or ECDSA encryption. Additionally, if you would like to store an SSH key in the Public Cloud section of the Manager, you will only be able to use RSA or ECDSA encryption.
You will be prompted to enter a passphrase to password-protect your SSH key. This is entirely optional but recommended for added security. Your SSH keys will be created and stored in the .ssh directory. In order to read your public key, use the following command and copy the output:
$ cat ~/.ssh/id_ed25519.pub
Now that you have created your SSH key pair, use the next section to tell your server that it can authenticate the public key you have just created.
Adding SSH Keys to Your Server
Navigate to your $HOME directory and look for a .ssh. If one does not already exist, create it by entering the following:
$ mkdir ~/.ssh
Create a folder to store your authorized keys. To do this, open a file with the name authorized_keys in a text editor of your choice (we'll use vim). Navigate to the .ssh directory that you just created and open the file in a text editor of your choice with the following command:
$ sudo vi ~/.ssh/authorized_keys
Copy and paste the public key which you created in the previous section into this new text file. Save the file and exit the text editor. Restart your server or restart OpenSSH using the following command:
$ sudo systemctl restart sshd
To test that your key has been set up properly, attempt to access your server via SSH using the following command, remembering to replace "IP_ADDRESSorHOSTNAME" with the IP address or hostname of the server you are trying to access:
$ ssh user@IP_ADDRESSorHOSTNAME
Adding Additional Authorized Keys to Your Server
To add additional authorized SSH keys for additional users, follow this article again using the new user's $HOME directory to create that user's unique key.
Removing Authorized Keys from Your Server
Remove the key which corresponds to that user from your authorized_keys file. Upon removing the key, save the file and exit the text editor.
Storing Your Public Keys in the OVHcloud Manager
The OVHcloud Manager allows you to store any public key you create as long as those keys use one of the following encryption types: ED25519, RSA, or ECDSA.
To store your keys in the OVHcloud Manager, log in to the OVHcloud Manager and click on your initials in the circle in the top-right corner of the screen. Then, on the left-hand sidebar, click My services.
Next, click Add an SSH key and choose the service to which you wish to attach it.
Note: Any keys saved in the "Dedicated" section will be usable for VPS and Dedicated Servers.
Afterwards, you will see the following popup window:
Note: Once a default key is set, it will also be used as the means of connection when a server is in rescue mode. To receive a password instead, the default key must be disabled before rebooting the server in rescue mode.
Enter an SSH Key name of your choice in the "ID" field. Copy and paste the full SSH public key in the "Key" field. Note that in order to store your key, you will need to specify your identifier after the pasted key. This is a requirement of the OVHcloud Manager. See the example format above. Click Confirm to store your public key.
Conclusion
SSH key pairs are important to ensuring the security of your server. While the steps you took using this article should be sufficient for most use cases, it is worth noting that OpenSSH can be configured to be more secure if that extra security is needed. Regardless of what your security needs are, they are too important to not use the strong layer of security which SSH keys provide to you.