- Create a new droplet and use a newly-generated SSH Key for authentication.
// Generate SSH key called "play_key" with the comment of "pwho"
ssh-keygen -o -a 100 -t ed25519 -f play_key -C "pwho"
If you want to set a passphrase (recommended), then do so; otherwise, just press enter twice when prompted for a passphrase.
When creating your new droplet on DO, select the option to add a new SSH key. You'll have to paste your PUBLIC key in the field provided. The public key is the only key you should be sharing. The private key (the file without the .pub file extension) should be kept private. Duh.
To get the public key, just open the key in a text editor and copy it.
- Open a terminal on your computer and type the following:
On your computer:
ssh -i <PATH TO YOUR PRIVATE SSH KEY> root@<IP FOR NEW DROPLET>
When loggin in the first time, you'll see a warning:
"The authenticity of host ' ()' can't be established." blah blah blah
"Are you sure you want to continue connecting (yes/no)?"
yes
This is just your computer protecting you from connecting to other computers you don't recognize.
Selecting YES will add the remote server to your "known hosts" file.
If you see this again on a subsequent connection, and you're NOT expecting it, that could mean another computer is trying to pretend to the be computer you really know, and you shouldn't continue.
We want to create a new user so we don't use the server as the root user. It's a bad idea to use the root user as it's too easy to make mistakes and mess up the server.
Using a non-root user will ensure that you can't do anything stupid unless you run commands as "sudo" (super user do).
On your server:
// create user
adduser <SOME USERNAME>
// select a good password you don't mind typing again and again as this will be your new "sudo" password, too.
// add user to the SUDO group
usermod -aG sudo <SOME USERNAME>
// confirm that you added the user to the "sudo" group
groups <USERNAME>
Just because you added this new user, doesn't mean that user can log into the server.
The public SSH key used when creating the server is connected with the ROOT user, and now we have to connect this public key with the New User we just created.
- We must allow for password login temporarily.
On your server:
// edit ssh config:
sudo vim /etc/ssh/sshd_config
// change "PasswordAuthentication no" to "PasswordAuthentication yes"
// save and restart daemon:
sudo systemctl restart sshd
On your computer:
// run this as SUDO if you're on Ubuntu yourself.
ssh-copy-id -i .ssh/<YOUR PRIVATE KEY> <USERNAME>@<DO SERVER IP>
You will be prompted for the user password you setup when you created the user.
Enter your password and you should see a confirmation:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '<USERNAME>@<SERVER IP>'"
and check to make sure that only the key(s) you wanted were added.
As the confirmation message prompted, but you must point to the proper ssh key:
// if you're on Linux / Ubuntu yourself, you'll have to run this as sudo (at least I do)
ssh -i <path to your PRIVATE SSH key> <USERNAME>@<SERVER IP>
Above we allowed password auth temporarily so we could complete an initial sign in with our new user.
For security reasons, though, we want to disable these option again:
// simply reverse what we did before
sudo vim /etc/ssh/sshd_config
// change "PasswordAuthentication yes" to "PasswordAuthentication no" to reverse what we did above
// while we're at it, let's disable root login, too:
// change "PermitRootLogin yes" to "PermitRootLogin no"
// save and restart daemon again:
sudo systemctl restart sshd