This is a basic task for any web admin. In the past I've always managed to stumble through the hoops to make it work in the end, but usually in a clumsy way that was not very tidy, not very deterministic, and not very scalable. It sometimes involved too many unnecessary trips to Stack Overflow and various blog articles to search through dated answers and ugly screenshots, some of which are less relevant than others. Here's an updated end-to-end guide that can be followed in 2021 when a new remote server or virtual instance is created.

During the creation of a new instance (or "Droplet" as Digital Ocean calls it), there are two methods to establish authentication, SSH keys or password. We'll use SSH as it's more secure against bruce-force attack. Throughout this process we'll keep two Terminal windows open, one for the local machine and the other one for the server.

1) Create SSH key pair on local machine (assuming a Mac)

ssh-keygen

When prompted for the key file location, just use the default ~/.ssh/id_rsa path. Do not use a passphrase as it brings more troubles than benefits. As we might need to maintain multiple sets of keys on the same local machine for different server destinations, it would be a good practice to name them differently. For example, I have:

ls -la ~/.ssh
id_rsa_to_github_from_mini
id_rsa_to_github_from_mini.pub
id_rsa_to_linode_from_mini
id_rsa_to_linode_from_mini.pub

Rename the newly created id_rsa (private key) and id_rsa.pub (public key):

mv id_rsa id_rsa_to_digitalocean_from_mini
mv id_rsa.pub id_rsa_to_digitalocean_from_mini.pub

2) Add SSH public key to server

In local machine's ~/.ssh/, display the public key on screen

cat id_rsa_to_digitalocean_from_mini.pub

Select what's displayed on screen, ctrl-C to copy the content of the public key.

In Digital Ocean dashboard where public SSH key can be added, ctrl-P to paste the content of the public key into the dialog box. Give it a name like "Macmini".

3) Proceed to create a new droplet/virtual instance in Digital Ocean ("DO")

For the authentication part, select "SSH keys" and check "Macmini" so that DO knows this particular set of keys will be associated with this new instance.

A new instance is now created with an external IP address 123.456.789.000 (which is also labeled as "ipv4" and shall not be confused with the private IP that is tied to the router). Copy this address.

4) Obtain SSH access to root user

By default, a root user with admin privilege has been created along with the server instance. Generally we want to minimize the use of root but we'll need to access to root first to do other things.

In local machine, use ssh -i to associate the correct private key that corresponds to the public key for this instance

ssh -i ~/.ssh/id_rsa_to_digitalocean_from_mini root@123.456.789.000

This shall land you into the new server (let's call it athena) as user root.

5) Create another sudo user

This is an important step that is often missing from official guides from VPS providers. We don't want to use root in day-to-day tasks, so there needs to be another admin user with the same permission rights but carries a different name.

On athena, as root user, add a new user with

adduser sammy

Enter a password that's easy to type and just leave other fields blank.

Grant this new user sudo privileges

usermod -aG sudo sammy

Check all current users with sudo privileges and make sure sammy is on the list

getent group sudo

Login to new user sammy with su to test its access works

su sammy

6) Establish SSH for new sudo user

The key in this step is to open TWO Terminal windows side by side, one for the local machine and the other one for the server instance (athena).

In the Terminal window on local machine, copy the content of the public key with the help of cat

cat ~/.ssh/id_rsa_to_digitalocean_from_mini.pub

Then in the Terminal window on the server for athena, as user sammy, create a new file that stores all the public keys from various local machines

mkdir -p ~/.ssh
vim ~/.ssh/authorized_keys

Paste the content from clipboard into file authorized_keys. This will tell the server athena that if a local machine requests to connect with the correct private key that ties to this public key, the connection shall be authenticated.

7) Create SSH shortcut on local machine

Back to the Terminal window for the local machine, in ~/.ssh/config file, append the private key info to the end of the file

Host athena
  HostName		123.456.789.000
  User			sammy
  IdentityFile		~/.ssh/id_rsa_to_digitalocean_from_mini

Save the config file. Now, in local machine's Terminal, connect to server athena without password by

ssh athena

Make sure to test the login is successful for user sammy.

8) Disable login for root

Last but not the least, login to athena as user sammy, disable the root login over SSH

sudo vim /etc/ssh/sshd_config

Set the following from yes to no

PermitRootLogin no

Now, the only way to login to athena is through user sammy over SSH keys.

To put these changes into effect:

sudo systemctl reload sshd.service

That's it!

More articles will follow that talk about how to set up the server environment and key parameters.


1. Thanks for reading! 1082.xyz newsletter shares the learning and discovery for aspiring polymath, on crypto, blockchain, investment, startups, productivity hacks and technology in general. If you're forwarded this email, you can sign up for the free 1082.xyz newsletter here or just press the "Subscribe" button to receive the latest articles directly in your inbox. The free tier would be fine as free tier subscribers can access all the articles at this point.
2. You're welcome to share your feedback and comments in the comment section. No email registration is needed. You can do so anonymously.
3. If you find this article helpful, please share it with like-minded friends. Thank you.