SSH Key Generation Illustration

SSH stands for Secure Shell. If you set up your SSH public and private key pair on your computer, you can bypass entering a password to access your web server. Some tasks can be done faster on the command line interface than on a browser. WordPress uses WP-CLI and Drupal uses Drush. Updating a group of WordPress plugins and themes is much faster on the command line than logging in to update them in the admin area. The same goes for Drupal’s modules and themes. You can’t update Drupal’s core at all via their admin area.

Disabling password authentication makes your web server more secure because you can only access SSH on computers that have the private key which corresponds to the public key on your web server. To follow along you need to make sure that SSH access is included in your web hosting plan. You also need to have a basic understanding of the command line interface. If you have both of these, I’ll walk you through the following steps:

How to set up a public and private SSH key pair on a Mac

How to copy your SSH public key on your web server

How to access your web server files using your SSH key pair

How to add/remove a passphrase to/from your private SSH key

How to log in with an SSH key pair with a name other than id_rsa

Setting Up a Public and Private SSH Key Pair on Your MacBook

On your MacBook’s Terminal application, go to your computer’s default SSH key directory by entering cd ~/.ssh.

To check if you have an existing SSH key pair, you can run the ls command.

Public SSH keys have a .pub extension and private keys have no extension. The default SSH public and private key names on a MacBook are id_rsa.pub and id_rsa. If you don’t see any keys in your SSH directory, then you can run the ssh-keygen command to generate one.

You’ll be asked to enter a file name for the key pair. If you just hit the Enter key when prompted for a file name, the names of your private and public SSH key names will default to id_rsa and id_rsa.pub.

Next, you’ll be asked to specify a passphrase. A passphrase just adds an extra level of security. If you don’t want to use a passphrase, you can just hit Enter twice. If your SSH key pair was created successfully, you should see something like this:


Your identification has been saved in /Users/yourusername/.ssh/id_rsa.
Your public key has been saved in /Users/yourusername/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:6ZO3Dm/IlyKn3ckOoZFpwX6cbagiji3h4oEzjxFRqsg yourusername@iMac-2.local
The key's randomart image is:
+---[RSA 2048]----+
| . |
| o . |
|o o |
|+. . = = |
|+E * S o |
|o. . * + |
|*o. . o.*... |
|o@.. ...=O+o |
|=o+ .+.*O |
+----[SHA256]-----+

Copying Your SSH Public Key to a Web Server

Now that you have a private and public SSH key pair, you can copy your public SSH key to any server that you have access to. So, let’s say you manage ten websites. If you have SSH access to all of those servers, and you copied your SSH public key to all of those servers, you would only have to remember only one passphrase from that computer.

If you didn’t set up a passphrase when you created your SSH key pair, you won’t have to remember anything at all! You should never copy your local computer’s SSH private key to a web server. Just remember that your private key is used for your local computer, and your public key is used for any web server that you want access to. To copy your public SSH key to a web server, you would use this command:

ssh-copy-id -i ~/.ssh/id_rsa.pub username@yourwebserver.com

You’ll see something like this:


/user/bin/ssh-copy-id INFO: Source of key(s) to be installed: "/Users/yourusername/.ssh/id_rsa.pub"
/user/bin/ssh-copy-id INFO: attempting to log in with the new key(s), to filter out any that are already installed
/user/bin/ssh-copy-id INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@yourwebserver.com's password:

Number of key(s) added: 1

Now try logging into the machine, with: "ssh 'username@yourwebserver.com'" and check to make sure that only the key(s) you wanted were added.

If you enter your web hosting control panel’s password, the public key will be copied to your web server. Repeat these steps on any web server that you want access to via SSH. After copying the SSH public keys, disable SSH password authentication.

If you already have password authentication disabled, you can add your public key via your web hosting control panel. In Terminal, you would run cat id_rsa.pub to get your public key’s contents

Copy all that follows after that command and paste it into the section where you import an existing key. All of our web hosting plans come with the ability to add a public SSH key via the hosting control panel. If your web hosting company allows you to add a key via the control panel, you would do so like so:

Import SSH Key in Hosting Control Panel

Be sure to click the Submit button to complete the import.

Accessing Your Web Server’s Files with Your SSH Key Pair

If the public key that you added on your web server is the only public key, and your local computer is the only computer that has the matching private key, then that is the only place that can log in to your web server via SSH. If you added the same public key to multiple web servers, then you only need to remember one passphrase for SSH access.

Keep in mind, that if you forget your passphrase, you will not be able to retrieve it, so don’t forget it. If you chose not to have a passphrase when generating your SSH key pair, then you won’t have to remember anything. To access any of your web servers with SSH, you would enter the following:

ssh username@yourwebserver.com

Adding, Changing, or Removing a Passphrase from Your SSH Private Key

The command is the same for adding, changing, and removing a SSH private key passphrase:

ssh-keygen -p

After entering this command, you’ll be asked for the private key that you want to edit. Hit Enter to edit the id_rsa private key. If you want to remove or edit an existing passphrase, you’ll be asked to enter your current passphrase. If the passphrase that you entered was correct, you’ll be asked to enter a new passphrase. If you’re changing a passphrase, enter your new passphrase twice. To remove a passphrase, just hit Enter twice. If your private key didn’t have a password, you’ll be asked to enter one twice.

Logging in Via SSH with a Key Pair with a Name Other than ID_RSA

To do this, you run the ssh-keygen command, but instead of hitting the Enter key when asked to enter a file name, you would specify a file name. Here’s an example of me creating a key pair with the name of dummy-key:


Generating public/private rsa key pair.
Enter file in which to save the key (/Users/yourusername/.ssh/id_rsa): dummy-key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in dummy-key.
Your public key has been saved in dummy-key.pub.
The key fingerprint is:
SHA256:hcSkxHp639f+G+wRSv6tE/R4nHwu1gTK3NyvwLf0uBw yourusername@iMac-2.local
The key's randomart image is:
+---[RSA 2048]----+
| ..oo |
| ..o.. |
| .. . . |
| . . . o |
| o S o *.B.|
| . . .* BoO|
| . . . o+EXo|
| . . .=B=B|
| . oO@=|
+----[SHA256]-----+

After creating the key pair, copy the public key to your web server. To log in with a key pair not named id_rsa, you have to specify where your private key is on your computer. So, to log in with the key that I just created in in the example above, I would type this:


ssh username@yourserver.com -i path/to/your/private/key/file

The private key file can be anywhere on your computer. Going on my dummy-key example, if I moved it to the Downloads directory on my Mac, I would log in via SSH like this:

ssh username@yourserver.com -i ~/Downloads/dummy-key

Thanks for reading this post. If this post helped you, I’d appreciate it if you shared it on social media or left a comment below.