Learn how to create and manage authentication key pairs on your local device and use them to connect to Public Cloud instances.
The SSH protocol enables a secure channel over public networks in a client-server architecture. Key pairs can be used to authenticate these SSH connections between two trusted hosts, for example a desktop client and a remote server.
A key consists of a public key that can be shared and a private key that remains secret. Placed on a server, the public key allows any client that has the corresponding private key to connect to it without the need to enter a password.
This is usually the best compromise between security and convenience and the default for Public Cloud instances.
Requirements
- A Public Cloud project in your OVHcloud account
- A remote connection client application compatible with the OpenSSH protocol
This guide is not applicable for standard Windows Server installations since they rely on the Remote Desktop Protocol (RDP) for connections.
You can find more information in our create a Public Cloud instance guide.
Instructions
Creating key pairs for OpenSSH connections
The following instructions will explain how to create and manage key pairs for remote connections with OpenSSH from the command line. Most current operating systems include this feature without needing to install additional software.
If you prefer a graphical user interface, you can find many software applications for every type of OS that enable you to connect to remote hosts via the OpenSSH protocol.
For example, PuTTY is an open-source SSH client software with many useful features. Find out how to use it for connections to OVHcloud servers and instance in our detailed tutorial, How to use PuTTY.
If you receive error messages when trying to connect, ensure you are using the correct parameters and login details and that your system and the installed applications are properly updated. If you receive a warning message of the type REMOTE HOST IDENTIFICATION HAS CHANGED, consult our SSH introduction page.
How to configure key pairs from a GNU/Linux distribution or MacOS
Open the command line application (Terminal).
Verify that you have a folder named .ssh in your $HOME directory. If the folder does not exist, create it:
Use the command ssh-keygen to create a key pair. The option -t allows you to specify the encryption method.
Ed25519 is considered the most secure but RSA is a valid alternative. Both methods are compatible with the OVHcloud Control Panel.
Examples:
The next prompt allows you to name the newly created key or use the standard file name:
If you confirm with Enter without entering a name, the standard file name will be used (id_rsa in this example).
If you plan to use more than one key paiur in the future, enter an individual file name to identify the key. You can find more information about this below in the Managing multiple authentication keys on your local device section.
This example outputs below will keep using the standard file names id_rsa and id_rsa.pub for illustration purposes.
You can protect your SSH key with a passphrase at the next prompt. This is recommended for added security.
NOTE: Remote access to your instance is only as secure as the client device storing the private key. Protecting your device and files from unauthorized access is therefore crucial when using SSH keys.
For increased convenience and security, store passphrases in a password manager on your device, such as the open-source solution KeePass.
All SSH keys should be stored in the .ssh directory. The public key files will have .pub added to the filename.
To view and export your public key, use the command cat on your .pub key file or open it with a text editor.
Copy this key string to add it to a new instance or to import it into the OVHcloud Control Panel.
In a MacOS Terminal you can use the commands pbcopy and pbpaste to handle key strings faster. For example, use this command to copy the key from the file id_rsa.pub to the clipboard:
pbcopy < ~/.ssh/id_rsa.pub
Managing multiple SSH keys on your local device
You might want to use multiple SSH key pairs to connect to different remote hosts or local network devices.
Since all keys should be placed in the folder .ssh of your user's home directory, the file names have to be different. When you create a new key pair and you are asked to provide a file name, enter a name of your choice, for example the name of your instance.
Example output:
When connecting to the corresponding server, specify the name of the private key file in addition to the user and server details:
Example:
Using the "config" file
The alternative to adding the option -i each time is to edit a file named config inside the folder ~/.ssh. You can use it to configure details for different connections (username, port, key file, optional parameters, etc.)
If this file exists inside .ssh, it probably contains some information already. Depending on your working environment, consider creating a backup copy of the original first.
Example output of listing the .ssh folder content:
The config file allows you to store multiple SSH connections along with their individual parameters, in addition to standard values. Using the full potential of this file can become complex since it is most useful for experienced users managing multiple servers.
Following is a simple example to explain how to configure an SSH connection to an instance.
Open the file and add the following lines at the top:
Be sure to use the correct IP address and key file name. The first line, beginning with Host, defines the name of this connection (instance in this example).
You can then log in to the instance by replacing the instance IP address with the alias name identifying this connection as Host:
Example output:
Only the instance IP and the key file were specified in the previous example but more details can be added.
To configure an SSH connection to a second remote host with the username "rocky", the modified SSH port "49160" and the private key in the file "myserver_rsa", extend the file content as shown in this example:
You can then connect to this server by entering:
Consult the corresponding man page for more information about the config file.
How to configure key pairs from a Windows device
Open the.Command Prompt by typing cmd into the search bar (or open PowerShell from the "Start" menu).
Open the .ssh directory for your active Windows user (default path: C:\Users\WindowsUsername\.ssh):
Use the command ssh-keygen to create a key pair. The option -t allows you to specify the encryption method.
Ed25519 is considered the most secure but RSA is a valid alternative. Both methods are compatible with the OVHcloud Control Panel.
Examples:
The next prompt allows you to name the newly created key or use the standard file name:
If you confirm with Enter without entering a name, the standard file name will be used (id_rsa in this example).
If you plan to use more than one key pair in the future, enter an individual file name to identify the key. You can find more information about this below in the Managing multiple authentication keys on your local device section.
This example outputs below will keep using the standard file names id_rsa and id_rsa.pub for illustration purposes.
You can protect your SSH key with a passphrase at the next prompt. This is recommended for added security.
NOTE: Remote access to your instance is only as secure as the client device storing the private key. Protecting your device and files from unauthorized access is therefore crucial when using SSH keys.
For increased convenience and security, store passphrases in a password manager on your device, such as the open-source solution KeePass.
All SSH keys should be stored in the .ssh directory. The public key files will have .pub added to the filename.
You can open the key file with a text editor (Notepad, Notepad++, etc.). From teh Windows File Explorer, right-click on the file and select Open with.
You can also use one of the following commands (when in the \Users\WindowsUsername\.ssh directory):
cmd
powershell
Copy this key string to add it to a new instance or to import it into the OVHcloud Control Panel.
Clipboard usage
When working from a Windows command line, you can use a right-click to paste the content of your clipboard into the command line window. To copy a string from the command line window, highlight it, then press Enter. You can also find these functions via a right-click on the menu bar of the command line window.
Managing multiple authentication keys on your local device
You might want to use multiple SSH key pairs to connect to different remote hosts or local networks.
Since all keys should be placed in the .ssh folder on your Windows user directory, the file names have to be different. When you create a new key pair and you are asked to provide a file name, enter a name of your choice, for example the name of your instance.
Output example:
When connecting to the corresponding instance, specify the name of the private key file in addition to the connecting user and server details:
Example:
Using the "config" file
The alternative to adding the option -i each time is to edit a file named config inside the folder C:\Users\Username\.ssh. You can use it to configure details for different connections (username, port, key file, optional parameters, etc.)
If this file exists inside .ssh, it probably contains some information already. Depending on your working environment, consider creating a backup copy of the original first.
Example of .ssh folder content:
The config file allows you to store multiple SSH connections along with their individual parameters, in addition to standard values. Using the full potential of this file can become complex since it is most useful for experienced users managing multiple servers regularly.
Following is a simple example to explain how to configure an SSH connection to an instance.
Open the file and add the following lines at the top:
Be sure to use the correct IP address and key file name. The first line, beginning with Host, defines the name of this connection (instance in this example).
You can then log in to the instance by replacing the instance IP address with the alias name identifying this connection (Host):
Example:
Only the instance IP and the private key file were specified in the previous example but more details can be added.
To configure an SSH connection to a second remote host with the username "rocky", the modified SSH port "49160" and the private key in the file "myserver_rsa", extend the file content as shown in this example:
You can then connect to this second host by entering:
Consult the corresponding man page for more information about the config file.
Adding additional public keys to a running instance
To add SSH keys for other users accessing your instance, repeat the key creation steps but use the appropriate $HOME folder or Windows Users directory of the user in question to create and store the SSH keys (or execute the commands on this person's dedicated device).
Use our dedicated guide for a detailed explanation of these steps.
Go further
- Creating and Connecting a Public Cloud instance
- Getting Started with SSH
- How to Configure Additional SSH Keys
For more information and tutorials, please see our other Public Cloud support guides or explore the guides for other OVHcloud products and services.
If you need training or technical assistance to implement our solutions, contact your sales representative or click on this link to get a quote and ask our Professional Services experts for a custom analysis of your project.