DigitalOcean SSH authentication and removing Password login

Docker Droplets

Why DigitalOcean?

Being the active user of AWS EC2 for hosting and deploying scalable applications, Trying out DigitalOcean was part of experimentation because DigitalOcean is pretty fast and super cheap. I was going through a blog post that was comparing these both platforms based on architecture, scalability, speed, and pricing and turned out DigitalOcean outperform AWS EC2 in almost all ways. You can check out the blog here if you wanna go in-depth. I am an active user for AWS services and the most used services include AWS EC2, AWS S3, and Route 52. I basically set up my architecture to be CI/CD compatible to handle the auto-deployment stuff because it’s 2019 (Time for automation) and doing manual I/O operations over ssh to AWS is really really slow.

There is this project that I was working on and It does not require any kind of image and block storage to handle. It is doing some background processing of tasks and running a couple of CRON jobs in the background. So I thought, this is the best time to choose DigitalOcean for the evaluation and experimentation.

The Challenge

DigitalOcean is pretty simple and straight forward and secure too. It handles authentication over SSH using keys. You need to have SSH set up in your DigitalOcean account to access the Droplet via terminal. The interface is pretty simple and straight forward to do that but as an active AWS EC2 user, I used to *.pem file convention to use while authenticating my SSH connection. Since DigitalOcean does not provide you with any *.pem file, You have to rely on the SSH configuration for the connection and you have to do it on your machine as well as on the server machine (Droplet) to handle the incoming connections. I had a couple of shell scripts already prepared that handled my deployment process to the AWS EC2 instances by using *.pem files and I was running short on time to write new scripts for a different architecture (That I hate because I like to keep things as generic as possible to make them architecture-independent to the extent possible).

The Solution

The solution to this problem is pretty easy and straight forward. You just have to generate an SSH public key. (Or use an existing one)

1. By default, the public key is stored in the .ssh folder, in the $HOME directory. The public key is saved as id_rsa.pub in that directory. You can either use this or you can create a new one using the command ssh-keygen -t rsa .
2. Press the ENTER key to accept the default location. The ssh-keygen utility prompts you for a passphrase.
3. You can choose a passphrase, which is recommended for security reasons. Or, you can leave it empty if you are in learning mode. If entering passphrase then you have to verify it twice.
4. After confirming, the system generates the key:

SSH public key generated.

5. You will need the public key which is stored in id_rsa.pub file in this directory. You can open this file and copy the contents, or use the `pbcopy < ~/.ssh/id_rsa.pub command to copy the content into the clipboard.

6. Now you need to add the SSH to DigitalOcean account and go to the Security section on the bottom left.

Go to Security

7. Now you have to add a new SSH key.

8. Copy and Paste the content from your clipboard and specify a name for the key so that you can remember that device and then click “Add SSH Key”.

9. Log into the DigitalOcean droplet using the command ssh root@<ip-address> . You will be prompted with a password. Type in the password that you received via email after creating a new Droplet instance.

10. The password authentication settings are controlled by PasswordAuthentication the directive in /etc/ssh/sshd_config . Setting this to no will disable password authentication on ssh.

11. Doing only this won’t help you. Every time when you try to log into your server, You would get Permission denied (public key) error. To fix this, you have to manually add your public key to ./.ssh/authorized_keys on your droplet instance (server).

12. Restart sshd by using systemctl restart sshd (On Ubuntu)

You would now be able to login into DigitalOcean Droplet via

ssh root@<ip-address>

And it will now never ask for password authentication.

References

Sharing some online references that really helped me to derive the solution

• https://docs.joyent.com/public-cloud/getting-started/ssh-keys/generating-an-ssh-key-manually/manually-generating-your-ssh-key-in-mac-os-x
• https://www.digitalocean.com/community/questions/how-do-i-disable-access-to-my-server-via-a-root-password
• https://code.luasoftware.com/tutorials/linux/how-to-use-ssh-key-with-digitalocean-droplet/