This is a basic task for any web admin. In the past I've always managed to stumble through the hoops to make it work in the end, but usually in a clumsy way that was not very tidy, not very deterministic, and not very scalable. It sometimes involved too many unnecessary trips to Stack Overflow and various blog articles to search through dated answers and ugly screenshots, some of which are less relevant than others. Here's an updated end-to-end guide that can be followed in 2021 when a new remote server or virtual instance is created.
During the creation of a new instance (or "Droplet" as Digital Ocean calls it), there are two methods to establish authentication, SSH keys or password. We'll use SSH as it's more secure against bruce-force attack. Throughout this process we'll keep two Terminal windows open, one for the local machine and the other one for the server.
1) Create SSH key pair on local machine (assuming a Mac)
When prompted for the key file location, just use the default
~/.ssh/id_rsa path. Do not use a passphrase as it brings more troubles than benefits. As we might need to maintain multiple sets of keys on the same local machine for different server destinations, it would be a good practice to name them differently. For example, I have:
ls -la ~/.ssh id_rsa_to_github_from_mini id_rsa_to_github_from_mini.pub id_rsa_to_linode_from_mini id_rsa_to_linode_from_mini.pub
Rename the newly created
id_rsa (private key) and
id_rsa.pub (public key):
mv id_rsa id_rsa_to_digitalocean_from_mini mv id_rsa.pub id_rsa_to_digitalocean_from_mini.pub
2) Add SSH public key to server
In local machine's
~/.ssh/, display the public key on screen
Select what's displayed on screen, ctrl-C to copy the content of the public key.
In Digital Ocean dashboard where public SSH key can be added, ctrl-P to paste the content of the public key into the dialog box. Give it a name like "Macmini".
3) Proceed to create a new droplet/virtual instance in Digital Ocean ("DO")
For the authentication part, select "SSH keys" and check "Macmini" so that DO knows this particular set of keys will be associated with this new instance.
A new instance is now created with an external IP address
123.456.789.000 (which is also labeled as "ipv4" and shall not be confused with the private IP that is tied to the router). Copy this address.
4) Obtain SSH access to root user
By default, a
root user with admin privilege has been created along with the server instance. Generally we want to minimize the use of
root but we'll need to access to
root first to do other things.
In local machine, use
ssh -i to associate the correct private key that corresponds to the public key for this instance
ssh -i ~/.ssh/id_rsa_to_digitalocean_from_mini email@example.com
This shall land you into the new server (let's call it
athena) as user
5) Create another sudo user
This is an important step that is often missing from official guides from VPS providers. We don't want to use
root in day-to-day tasks, so there needs to be another admin user with the same permission rights but carries a different name.
root user, add a new user with
Enter a password that's easy to type and just leave other fields blank.
Grant this new user sudo privileges
usermod -aG sudo sammy
Check all current users with sudo privileges and make sure
sammy is on the list
getent group sudo
Login to new user
su to test its access works
6) Establish SSH for new sudo user
The key in this step is to open TWO Terminal windows side by side, one for the local machine and the other one for the server instance (
In the Terminal window on local machine, copy the content of the public key with the help of
Then in the Terminal window on the server for
athena, as user
sammy, create a new file that stores all the public keys from various local machines
mkdir -p ~/.ssh vim ~/.ssh/authorized_keys
Paste the content from clipboard into file
authorized_keys. This will tell the server
athena that if a local machine requests to connect with the correct private key that ties to this public key, the connection shall be authenticated.
7) Create SSH shortcut on local machine
Back to the Terminal window for the local machine, in
~/.ssh/config file, append the private key info to the end of the file
Host athena HostName 123.456.789.000 User sammy IdentityFile ~/.ssh/id_rsa_to_digitalocean_from_mini
Save the config file. Now, in local machine's Terminal, connect to server
athena without password by
Make sure to test the login is successful for user
8) Disable login for root
Last but not the least, login to
athena as user
sammy, disable the root login over SSH
sudo vim /etc/ssh/sshd_config
Set the following from
Now, the only way to login to
athena is through user
sammy over SSH keys.
To put these changes into effect:
sudo systemctl reload sshd.service
More articles will follow that talk about how to set up the server environment and key parameters.
1. Thanks for reading! 1082.xyz newsletter shares the learning and discovery for aspiring polymath, on crypto, blockchain, investment, startups, productivity hacks and technology in general. If you're forwarded this email, you can sign up for the free 1082.xyz newsletter here or just press the "Subscribe" button to receive the latest articles directly in your inbox. The free tier would be fine as free tier subscribers can access all the articles at this point.
2. You're welcome to share your feedback and comments in the comment section. No email registration is needed. You can do so anonymously.
3. If you find this article helpful, please share it with like-minded friends. Thank you.