Secure Server login via SSH

First login

If you did not add an ssh key via the GUI when creating the server, you will have either created a root password, or you will have gotten it via other means, like email with digital ocean. (Note that digital ocean will not send a password and automatically disabled password logins if you add an ssh key via the GUI.)

ssh root@123.45.56.78 The authenticity of host '123.45.56.78 (123.45.56.78)' can't be established. 
ECDSA key fingerprint is SHA256:mX1fCAc5cyf2bG7BZnBPhrrmIKANdBtWzk676MgqhSs.
Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '123.45.56.78' (ECDSA) to the list of known hosts. root@123.45.56.78's password: You are required to change your password immediately (root enforced)
Changing password for root. 
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:

Creating a sudo user

We still want to be able to log in and work on the server, so we need to create a new user with sudo privileges.

$ su lukas 
$ sudo -v [sudo] password for lukas: Sorry, user lukas may not run sudo on veare.localdomain.

Allow access via SSH

If you are using services like github you probably already have an ssh key on your computer. To see if and which keys you have, run the following command:

$ ls ~/.ssh/ authorized_keys config id_rsa id_rsa.pub known_hosts

Creating a new key pair

If you have no key pair yet, or want to create a new key pair you can use the ssh-keygen command. You will be asked where to store it. In the example below I am creating a pair named devserver_rsa. If you have no key pair yet, just hit return and stick to the default.

$ ssh-keygen -t rsa Generating public/private rsa key pair. 
Enter file in which to save the key (/Users/YOURUSERNAME/.ssh/id_rsa): /Users/YOURUSERNAME/.ssh/devserver_rsa
Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/YOURUSERNAME/.ssh/devserver_rsa. Your public key has been saved in /Users/YOURUSERNAME/.ssh/devserver_rsa. The key fingerprint is: …

Transferring the key pair

We must copy the public key pair to the home directory of both our root and our sudo user ( lukas for me) on our server, to allow them to log using ssh. Make sure to replace 123.45.56.78 with your servers ip.

$ cat ~/.ssh/id_rsa.pub | ssh root@123.45.56.78 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys" 
$ cat ~/.ssh/id_rsa.pub | ssh lukas@123.45.56.78 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Verifying the SSH login via ssh-key

You should now be able to login without using a password. To do so, simply run the ssh command again. Try this for both users.

$ ssh root@123.45.56.78 
$ exit
$ ssh lukas@123.45.56.78
$ exit

Disabling Root-Login and login via password

Once you verified that login via ssh-key (without password) works, and you can use sudo with your new user, you should disable login using passwords as well as the root user login.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Lukas Oppermann

Lukas Oppermann

Product designer with a love for complex problems & data. Everything I post on Medium is a copy — the originals are on my own website: https://www.vea.re