SSH keys are undeniably the best way to log in to your VPS. You won't be required to type a password, and yet attackers will have no way to get in, because there is no password to guess! Read on to learn how to set up an SSH key for your VPS!
Installing the Software
Different operating systems require different tools to generate SSH keys. We'll briefly go over how to install the required software on each major operating system. Make sure you follow these instructions on your local computer!
Linux
On Linux, the required software usually comes pre-installed. First, check if the required packages are installed by running ssh-keygen -h
. If you see a help message, then the software is already installed. Otherwise, you will need to install it using one of the following commands:
sudo apt install openssh-client
sudo yum –y install openssh-clients
pacman -Sy openssh
Windows
Download and install PuTTY: https://www.puttygen.com/download-putty
MacOS
Open a terminal window and run the following command to install the utilities, if they are not already installed:
brew install openssh
Generating a Public/Private Keypair
Linux/MacOS
On a Linux or MacOS operating system, the following commands can be used in a terminal/shell to generate an SSH key:
ssh-keygen -o -a 100 -t ed25519 # Generate an SSH key. Choose the default options by hitting enter.
cat ~/.ssh/id_ed25519.pub # This prints out your public key, which we will need in the next step.
Windows
On Windows, use the following steps to generate an SSH key:
- Launch PuTTYgen by launching the Windows start menu and selecting All Programs, PuTTY, and finally PuTTYgen.
- Click the "Generate" button, and move your mouse to generate some randomness.
- Click the "Save Private Key" and "Save Public Key" options, and make note of where the files are saved. We will need them later.
- Copy the key from the top of the window, labeled "Public key for pasting into OpenSSH authorized_keys file. This is your public key, which we will need in the next step.
Installing Your SSH Key On A New VPS
Installing your SSH key on your VPS is remarkably easy:
- Log in to the VPS panel at https://vps.pufferfish.host.
- Click the "SSH Keys" tab at the top of the window.
- Click the blue "Add Key" button, give your SSH key a name, and paste the contents of the public key you got when generating your key in the previous step.
- Click the blue "Save" button to save your key.
- When installing your VPS, select the SSH key after choosing a compatible operating system. Only linux-based operating systems are compatible with automatic SSH access.
Installing an SSH key on an existing VPS is also trivial:
mkdir -p ~/.ssh
nano ~/.ssh/authorized_keys
# Paste your public key from the previous step in the authorized_keys file.
Logging In With Your SSH key
Linux/MacOS
Simply using the ssh
command will allow you to log in with your newly generated SSH key: ssh [email protected]
. If this is a newly installed VPS, then the username you will need to use is root
. You should not be prompted for a password.
Windows
- Open a new PuTTY window.
- Create a new configuration, and enter your server's IP address and username. If this is the first time you're logging in to your Pufferfish Host VPS, you will need to use the username
root
. - Go to the authentication tab and select the
.ppk
file that was generated using PuTTYgen. - Save the configuration and log in. You should not be prompted for a password, and should be granted access immediately.
Security Best Practices
As you can see, SSH keys are a far more convenient way to log into a server. Keys can be reused across multiple servers. It is crucial to never, ever share the private key. If your private key is compromised, then you will need to generate a new SSH key.
It is a good idea to disable password authentication on your VPS after you have configured and tested your SSH key. To do this, edit the file at /etc/ssh/sshd_config
. Find the line that starts with #PasswordAuthentication
, and change it to PasswordAuthentication no
. (Note that the #
was removed from the line). Restart the SSH daemon using systemctl restart sshd
. We recommend only doing this after you have tested your SSH key, otherwise you may accidentally lock yourself out of your VPS. This step is already completed for you by default on Pufferfish Host.
When using SSH keys, software like Fail2Ban is not required. This is because brute forcing SSH keys is considered practically impossible, by every metric. While passwords can be guessed and brute forced, SSH keys are far more secure and cannot be easily cracked, so software like Fail2Ban will not improve anything.
You may also want to consider backing up your SSH public and private keys. Make sure you choose a safe place to back these up, because if the private key is compromised, it will allow attackers to access any server you have access to.
Conclusion
SSH keys are an excellent and convenient way to secure your server, especially because they don't require any passwords to be configured. For this reason, we highly recommend setting up SSH key authentication and disabling password authentication on any servers you have.