How to Upload an SSH Public Key to an Existing Droplet
DigitalOcean Droplets are Linux-based virtual machines (VMs) that run on top of virtualized hardware. Each Droplet you create is a new server you can use, either standalone or as part of a larger, cloud-based infrastructure.
For security reasons, you can’t add or modify the SSH keys on your Droplet using the control panel after you create it, but you have several options to add and modify them via the command line. If you currently have SSH access to the Droplet, you can upload keys:
-
From your local computer using
ssh-copy-id, which is included in many Linux distributions’ OpenSSH packages. -
From your local computer by piping the contents of the key into the
~/.ssh/authorized_keysfile. This is a good choice if you don’t havessh-copy-id. -
By SSHing to your Droplet and adding the public key manually, which is necessary if you do not have password-based SSH access.
If you currently can’t connect to your Droplet at all, use the Recovery Console to reset the root user password. Once logged in on the console, you can either add your key manually from the console or temporarily enable password authentication to add the key via SSH.
Locally Using ssh-copy-id and Password-Based Access
If you have password-based access to your Droplet, you can copy your SSH key using ssh-copy-id. Substitute the IP address of your Droplet.
ssh-copy-id [email protected]
This prompts you for the user account’s password on the remote system:
The authenticity of host '203.0.113.0 (203.0.113.0)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:EX:AM:PL:E0:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
After typing in the password, the contents of your ~/.ssh/id_rsa.pub key are appended to the end of the user account’s ~/.ssh/authorized_keys file:
Number of key(s) added: 1
Now try logging in to the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
After entering the password, it copies your key, and you can log in without a password.
Locally by Piping into ssh with Password-Based Access
If you do not have the ssh-copy-id utility available, but still have password-based SSH access to the remote server, you can pipe the contents of the key into the ssh command.
On the remote side, verify that the ~/.ssh directory exists, and then append the piped contents into the ~/.ssh/authorized_keys file. Substitute the IP address and your username for your Droplet.
cat ~/.ssh/id_rsa.pub | \
ssh [email protected] "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
You are then asked to supply the password for the remote account:
The authenticity of host '203.0.113.0 (203.0.113.0)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:EX:AM:PL:E0:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
[email protected]'s password:
After entering the password, it copies your key, and you can log in without a password.
Manually from the Droplet without Password-Based Access
If you do not have password-based SSH access available, you have to add your public key to the remote server manually.
Note
ssh to add your keys.On your local machine, output the contents of your public key.
cat ~/.ssh/id_rsa.pub
Copy the output.
ssh-rsa EXAMPLEzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1Rfz3K2B+ZVIpSDfki9UVKzT8JUmwW6NNzSgxUfQHGwnW7kj4jp4AT0VZk3ADw497M2G/12N0PPB5CnhHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o8U77+xiFxgI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/zkOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/2FWYepz6ZlN70bRly57Q06J+ZJoc9FfBCbCyYH7U/ASsmY095ywPsBo1XQ9PqhnN1/YOorJ068foQDNVpm146mUpILVxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/lERo9oxRm5JFX6TCmj6kmiFqv+Ow9gI0x8GvaQ== [email protected]
Log in to your Droplet using your local terminal and create the ~/.ssh directory if it does not already exist:
mkdir -p ~/.ssh
You’ll need to add your SSH key to an authorized_keys file in this directory. The public keys listed in that file are the ones that can be used to log in to the server as this user.
Create and open the ~/.ssh/authorized_keys file for editing using a terminal-based text editor, like nano.
nano ~/.ssh/authorized_keys
Paste the contents of your SSH key into the file by right-clicking in your terminal and choosing Paste or by using a keyboard shortcut like CTRL+SHIFT+V. Then, save and close the file. In nano, save by pressing CTRL+O and then ENTER, and exit by pressing CTRL+X.
Alternatively, instead of opening the file in an editor and pasting your key, you can create the authorized_keys file with your public key added with a single command. If you use this, substitute the contents of your public key into the echo command.
echo "ssh-rsa EXAMPLEzaC1yc2E...GvaQ== [email protected]" \
>> ~/.ssh/authorized_keys
Once the authorized_keys file contains the public key, you need to update permissions on some of the files. The ~/.ssh directory and authorized_keys file must have specific restricted permissions (700 for ~/.ssh and 600 for authorized_keys). If they don’t, you won’t be able to log in.
Check the permissions and ownership of the files.
chmod -R go= ~/.ssh
chown -R $USER:$USER ~/.ssh
You can now log out of your Droplet. The next time you log in, you can do so without a password.