Using SSH keys for Server Access

I decided to write this article so that people can more securely access and share access to their servers to authorised personnel. This is intended for Service Providers in the 0Chain community, but equally applies to anyone with their own server (or VPS etc.)


Ther server commands are for a Linux server. The local commands should work on Linux or MacOs computers – for Windows, see to install ssh-keygen first, then you’ll need to change paths to use \ and use type instead of cat command

The basic concept

The concept is based around a public/private key pair which anyone interested in crypto should already be familiar with. The private key remains on the local machine and the public key gets pushed to the server(s)

Installing a key on a server

I’ll cut straight to the chase. Access the server as chosen user you wish to share access of. This may be through a user interface of your hosting provider (e.g. noVNC KVM Console), or by using ssh and the existing password.

Then cut and paste the following command. (ON YOUR SERVER) – Note this command authorizes me to access your server!!

cd ~ ; DIR=".ssh"; FILE="authorized_keys"; ADD="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMbMEFXgqISi/jdF/1HvnkeP9R4oEnm0k6c6jsbuP1Ab"; [ ! -d "$DIR" ] && mkdir $DIR ; [ ! -f "$DIR/$FILE" ] && touch "$DIR/$FILE" ; grep -q "$ADD" "$DIR/$FILE" || echo "$ADD" >> "$DIR/$FILE"

So what this does is add my key to the ssh key authorized keys list for your user profile on that server (if one doesn’t exist, it is created).

Generating your own keys

So you have more than one server to manage and rather than having to remember separate passwords for each one, you want to generate your own key pair.

So first you will generate an ssh key pair on your local machine (laptop or desktop etc.)
The command you want to use is ssh-keygen
The only parameters we will specify are a filename and algorithm used. In this case, we will use the ed25519 algorithm.
So make sure you are in your home folder (cd ~) and then we will generate a key in the .ssh folder that is used by default for storing these keys.
So the command will look like (you will substitute all instances of test with your preferred name) :-


ssh-keygen -f .ssh/test -t ed25519

And the output will look something like:-

Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in .ssh/test
Your public key has been saved in .ssh/
The key fingerprint is:
SHA256:DpciLmKT4GYvxAe+0DMi0NQRJLuI8Q1HTGIDyJtPSf0 sculptex@hplaptop
The key's randomart image is:
+--[ED25519 256]--+
|+.==Bo           |
|.o.Bo.           |
|.o* o .          |
|oB.B   E .       |
|B.* o o S        |
|*+=+ . =         |
|=O+o.   .        |
|++o.             |
|  ..             |

You see it prompts for a passphrase, I highly recommend you do this for additional security. Because the use of the keypair is the main security, this passphrase will only come into play if someone gains access to that, so use your judgement to make it something easy to type and remember, as you will need to enter it each time you access.

If we look in the .ssh folder, the test and files will be there.

ls .ssh

The test file is the private key. You want to keep this secure as you would with other private keys. The .pub file contains your public key.
You can see the contents of that file by entering

cat .ssh/

and you will see something like (there may be multiple lines)

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKI22V+K3fKNzqRAv0LmeDLIpreO3tL+rxxs90d/wXxH sculptex@hplaptop

METHOD 1 – substituting into one-liner command


This is what we need to substitute in the command at the start into the ADD variable

So the one-liner for the above test key authorization would be (but note you can change the last part to an email if desired)

cd ~ ; DIR=".ssh"; FILE="authorized_keys"; ADD="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKI22V+K3fKNzqRAv0LmeDLIpreO3tL+rxxs90d/wXxH sculptex@hplaptop"; [ ! -d "$DIR" ] && mkdir $DIR ; [ ! -f "$DIR/$FILE" ] && touch "$DIR/$FILE" ; grep -q "$ADD" "$DIR/$FILE" || echo "$ADD" >> "$DIR/$FILE"

So now you will have your own one-liner that you can cut and paste in an ssh session on your server, and from that point onwards, you should be able to ssh into your server without a password, albeit you will still need to enter the passphrase when prompted but this will be something more memorable.

METHOD 2 – using ssh-copy-id


By using the following command:-

ssh-copy-id -i ~/.ssh/test user@host

it will perform the addition of the keys to the server authorized_keys file for you (it will prompt you for login details if you are not already logged in)

Another step (If this is a sudo account)


By default, sudo accounts still prompt for passwords when entering a sudo command. If we want to prevent this, we will need to give them an additional privilege. NOTE: this does not apply to root accounts, they are already sudo (superuser)!

1) Lets enter a basic command using sudo:-

sudo pwd

Note that if this is not a sudo account it will tell you.
1a) If it is a sudo account and this is the first sudo command issued this session, it will prompt you for the password, so you’ll need to enter that now.

2) Now, lets create a group type that negates the need for the sudo user to enter a password

if sudo grep -qwF "sudo_nopass" "/etc/sudoers" ; then echo "sudo_nopass group already exists" ; else sudo echo "%sudo_nopass ALL=(ALL:ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers ; echo "ADDED sudo_nopass group" ; fi

It should detect if this command has run previously so is fairly foolproof to use, (just make sure you have already run a sudo command so it doesn’t try prompting for a password in the middle of this script).

3) Establish new group with system

sudo groupadd sudo_nopass

4) Now we can assign this group to the current user, again this assumes you will already have run a sudo command (do sudo pwd before this if not).

IAM=$(whoami) ; if  [ "$IAM" = "root" ] ; then echo "ROOT. No need to do this!" ; else echo "User: $IAM" ; sudo usermod -a -G sudo_nopass $IAM ; echo "Added to group sudo_nopass" ; fi

Thats it! This user should not be able to login via ssh key and not have to enter the password.

So now lets log into server using ssh

ssh root@

You may see something like:-

The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:UtU+TDbb9JaVk2QEY/Tt/W7/Rnt/7ZJe70PhvWtGw8A.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

Just enter yes

You will also get a pop-up prompting for your passphrase, so enter that.

Warning: Permanently added '' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-65-generic x86_64)

Be aware that this ssh session may remain authorized in memory on your machine, so closing the window or typing exit on the ssh session will close the window, but subsequent connections will re-establish without asking for the passphrase.

Other Server Commands

To get your servers public IP address, you can enter the following command on the server Command Line

curl; echo

To get the current user, enter the following command on the server Command Line



These two are the required parameters when ssh’ing into your server,
e.g. ssh <user>@<IP address> would then be
ssh root@