Force System To Use Self Generated Public Key

Apr 28, 2019  Configure Powershell WinRM to use OpenSSL generated Self-Signed certificate. A private key is one half of the public/private key pair used in digital certificates. (ConvertTo-SecureString -AsPlainText -String 123456-Force) Verify thumbprint of imported certificate. Aug 20, 2012  Generating Key Pairs and Importing Public Key Certificates to a Trusted Keystore. Use following command in command prompt to generate a keypair with a self-signed certificate.

-->

Generate GPG secret key from public key and passphrase. Ask Question Asked 7 years, 5 months ago. If the private key could be generated from the public key (not counting brute force), what use would public key cryptography be? – Mat Sep 22 '12 at 16:18. 1 @Mat I remember passphrase! I have everything needed to make a key, though newly.

Applies to: Exchange Server 2013

Secure Sockets Layer (SSL) is a method for securing communications between a client and a server. For Exchange Server 2013, SSL is used to help secure communications between the server and clients. Clients include mobile phones, computers inside an organization's network, and computers outside an organization's network.

By default, when you install Exchange 2013, client communications are encrypted using SSL when you use Outlook Web App, Exchange ActiveSync, and Outlook Anywhere.

SSL requires you to use digital certificates. This topic summarizes the different types of digital certificates and information about how to configure Exchange 2013 to use these types of digital certificates.

Overview of digital certificates

Digital certificates are electronic files that work like an online password to verify the identity of a user or a computer. They're used to create the SSL encrypted channel that's used for client communications. A certificate is a digital statement that's issued by a certification authority (CA) that vouches for the identity of the certificate holder and enables the parties to communicate in a secure manner using encryption.

Digital certificates do the following:

• They authenticate that their holders (people, websites, and even network resources such as routers) are truly who or what they claim to be.

• They protect data that's exchanged online from theft or tampering.

Digital certificates can be issued by a trusted third-party CA or a Windows public key infrastructure (PKI) using Certificate Services, or they can be self-signed. Each type of certificate has advantages and disadvantages. Each type of digital certificate is tamper-proof and can't be forged.

Certificates can be issued for several uses. These uses include web user authentication, web server authentication, Secure/Multipurpose Internet Mail Extensions (S/MIME), Internet Protocol security (IPsec), Transport Layer Security (TLS), and code signing.

A certificate contains a public key and attaches that public key to the identity of a person, computer, or service that holds the corresponding private key. The public and private keys are used by the client and the server to encrypt the data before it's transmitted. For Windows-based users, computers, and services, trust in a CA is established when there's a copy of the root certificate in the trusted root certificate store and the certificate contains a valid certification path. For the certificate to be valid, the certificate must not have been revoked and the validity period must not have expired.

Types of certificates

There are three primary types of digital certificates: self-signed certificates, Windows PKI-generated certificates, and third-party certificates.

Self-signed certificates

When you install Exchange 2013, a self-signed certificate is automatically configured on the Mailbox servers. A self-signed certificate is signed by the application that created it. The subject and the name of the certificate match. The issuer and the subject are defined on the certificate. This self-signed certificate is used to encrypt communications between the Client Access server and the Mailbox server. The Client Access server trusts the self-signed certificate on the Mailbox server automatically, so no third-party certificate is needed on the Mailbox server. When you install Exchange 2013, a self-signed certificate is also created on the Client Access server. This self-signed certificate will allow some client protocols to use SSL for their communications. Exchange ActiveSync and Outlook Web App can establish an SSL connection by using a self-signed certificate. Outlook Anywhere won't work with a self-signed certificate on the Client Access server. Self-signed certificates must be manually copied to the trusted root certificate store on the client computer or mobile device. When a client connects to a server over SSL and the server presents a self-signed certificate, the client will be prompted to verify that the certificate was issued by a trusted authority. The client must explicitly trust the issuing authority. If the client confirms the trust, then SSL communications can continue.

Note

By default, the digital certificate installed on the Mailbox server or servers is a self-signed certificate. You don't need to replace the self-signed certificate on the Mailbox servers in your organization with a trusted third-party certificate. The Client Access server automatically trusts the self-signed certificate on the Mailbox server and no other configuration is needed for certificates on the Mailbox server.

Frequently, small organizations decide not to use a third-party certificate or not to install their own PKI to issue their own certificates. They might make this decision because those solutions are too expensive, because their administrators lack the experience and knowledge to create their own certificate hierarchy, or for both reasons. The cost is minimal and the setup is simple when you use self-signed certificates. However, it's much more difficult to establish an infrastructure for certificate life-cycle management, renewal, trust management, and revocation when you use self-signed certificates.

Windows public key infrastructure certificates

The second type of certificate is a Windows PKI-generated certificate. A PKI is a system of digital certificates, certification authorities, and registration authorities (RAs) that verify and authenticate the validity of each party that's involved in an electronic transaction by using public key cryptography. When you implement a PKI in an organization that uses Active Directory, you provide an infrastructure for certificate life-cycle management, renewal, trust management, and revocation. However, there is some additional cost involved in deploying servers and infrastructure to create and manage Windows PKI-generated certificates.

Certificate Services are required to deploy a Windows PKI and can be installed through Add Or Remove Programs in Control Panel. You can install Certificate Services on any server in the domain.

If you obtain certificates from a domain-joined Windows CA, you can use the CA to request or sign certificates to issue to your own servers or computers on your network. This enables you to use a PKI that resembles a third-party certificate vendor, but is less expensive. These PKI certificates can't be deployed publicly, as other types of certificates can be. However, when a PKI CA signs the requestor's certificate by using the private key, the requestor is verified. The public key of this CA is part of the certificate. A server that has this certificate in the trusted root certificate store can use that public key to decrypt the requestor's certificate and authenticate the requestor.

The steps for deploying a PKI-generated certificate resemble those required for deploying a self-signed certificate. You must still install a copy of the trusted root certificate from the PKI to the trusted root certificate store of the computers or mobile devices that you want to be able to establish an SSL connection to Microsoft Exchange.

A Windows PKI enables organizations to publish their own certificates. Clients can request and receive certificates from a Windows PKI on the internal network. The Windows PKI can renew or revoke certificates.

Trusted third-party certificates

Third-party or commercial certificates are certificates that are generated by a third-party or commercial CA and then purchased for you to use on your network servers. One problem with self-signed and PKI-based certificates is that, because the certificate is not automatically trusted by the client computer or mobile device, you must make sure that you import the certificate into the trusted root certificate store on client computers and devices. Third-party or commercial certificates do not have this problem. Most commercial CA certificates are already trusted because the certificate already resides in the trusted root certificate store. Because the issuer is trusted, the certificate is also trusted. Using third-party certificates greatly simplifies deployment.

For larger organizations or organizations that must publicly deploy certificates, the best solution is to use a third-party or commercial certificate, even though there is a cost associated with the certificate. Commercial certificates may not be the best solution for small and medium-size organizations, and you might decide to use one of the other certificate options that are available.

Choosing a certificate type

When you choose the type of certificate to install, there are several things to consider. A certificate must be signed to be valid. It can be self-signed or signed by a CA. A self-signed certificate has limitations. For example, not all mobile devices let a user install a digital certificate in the trusted root certificate store. The ability to install certificates on a mobile device depends on the mobile device manufacturer and the mobile service provider. Some manufacturers and mobile service providers disable access to the trusted root certificate store. In this case, neither a self-signed certificate nor a certificate from a Windows PKI CA can be installed on the mobile device.

Default Exchange certificates

By default, Exchange installs a self-signed certificate on both the Client Access server and the Mailbox server so that all network communication is encrypted. Encrypting all network communication requires that every Exchange server have an X.509 certificate that it can use. You should replace this self-signed certificate on the Client Access server with one that is automatically trusted by your clients.

'Self-signed' means that a certificate was created and signed only by the Exchange server itself. Because it wasn't created and signed by a generally trusted CA, the default self-signed certificate won't be trusted by any software except other Exchange servers in the same organization. The default certificate is enabled for all Exchange services. It has a subject alternative name (SAN) that corresponds to the server name of the Exchange server that it's installed on. It also has a list of SANs that include both the server name and the fully qualified domain name (FQDN) of the server.

Although other Exchange servers in your Exchange organization trust this certificate automatically, clients like web browsers, Outlook clients, mobile phones, and other email clients in addition to external email servers won't automatically trust it. Therefore, consider replacing this certificate with a trusted third-party certificate on your Exchange Client Access servers. If you have your own internal PKI, and all your clients trust that entity, you can also use certificates that you issue yourself.

Certificate requirements by service

Certificates are used for several things in Exchange. Most customers also use certificates on more than one Exchange server. In general, the fewer certificates you have, the easier certificate management becomes.

IIS

All the following Exchange services use the same certificate on a given Exchange Client Access server:

• Outlook Web App

• Exchange admin center (EAC)

• Exchange Web Services

• Exchange ActiveSync

• Outlook Anywhere

• Autodiscover

• Outlook Address Book distribution

Because only a single certificate can be associated with a website, and because all these services are offered under a single website by default, all the names that clients of these services use must be in the certificate (or fall under a wildcard name in the certificate).

POP/IMAP

Certificates that are used for POP or IMAP can be specified separately from the certificate that's used for IIS. However, to simplify administration, we recommend that you include the POP or IMAP service name in your IIS certificate and use a single certificate for all these services.

SMTP

Force System To Use Self Generated Public Keyboard

A separate certificate can be used for each receive connector that you configure. The certificate must include the name that SMTP clients (or other SMTP servers) use to reach that connector. To simplify certificate management, consider including all names for which you have to support TLS traffic in a single certificate.

Digital certificates and proxying

Proxying is the method by which one server sends client connections to another server. In the case of Exchange 2013, this happens when the Client Access server proxies an incoming client request to the Mailbox server that contains the active copy of the client's mailbox.

When Client Access servers proxy requests, SSL is used for encryption but not for authentication. The self-signed certificate on the Mailbox server encrypts the traffic between the Client Access server and the Mailbox server.

Reverse proxies and certificates

Many Exchange deployments use reverse proxies to publish Exchange services on the Internet. Reverse proxies can be configured to terminate SSL encryption, examine the traffic in the clear on the server, and then open a new SSL encryption channel from the reverse proxy servers to the Exchange servers behind them. This is known as SSL bridging. Another way to configure the reverse proxy servers is to let the SSL connections pass straight through to the Exchange servers behind the reverse proxy servers. With either deployment model, the clients on the Internet connect to the reverse proxy server using a host name for Exchange access, such as mail.contoso.com. Then the reverse proxy server connects to Exchange using a different host name, such as the machine name of the Exchange Client Access server. You don't have to include the machine name of the Exchange Client Access server on your certificate because most common reverse proxy servers are able to match the original host name that's used by the client to the internal host name of the Exchange Client Access server.

Our team create this software, to share all the keys with GTA V fans!GTA 5 Keygen is FREE and 100% working and legit. Now that we have finally finished the GTA 5 Keygen we are proudly releasing it to the public! With this software you can generate a cd-key which you can activate GTA V! We are proud to give, to all of our fans, for FREE, a new, 100% working and legit GTA 5 Keygen with which you can freely REDEEM that fantastic game for your favourite platform! A lot of our followers asked us for a working GTA 5 Keygen, so we are pleased to announce a new phenomenal release of GTA 5 Keygen! Cd-key generator left 4 dead.

SSL and split DNS

Split DNS is a technology that allows you to configure different IP addresses for the same host name, depending on where the originating DNS request came from. This is also known as split-horizon DNS, split-view DNS, or split-brain DNS. Split DNS can help you reduce the number of host names that you must manage for Exchange by allowing your clients to connect to Exchange through the same host name whether they're connecting from the Internet or from the intranet. Split DNS allows requests that originate from the intranet to receive a different IP address than requests that originate from the Internet.

Split DNS is usually unnecessary in a small Exchange deployment because users can access the same DNS endpoint whether they're coming from the intranet or the Internet. However, with larger deployments, this configuration will result in too high of a load on your outgoing Internet proxy server and your reverse proxy server. For larger deployments, configure split DNS so that, for example, external users access mail.contoso.com and internal users access internal.contoso.com. Using split DNS for this configuration ensures that your users won't have to remember to use different host names depending on where they're located.

Remote Windows PowerShell

Kerberos authentication and Kerberos encryption are used for remote Windows PowerShell access, from both the Exchange admin center (EAC) and the Exchange Management Shell. Therefore, you won't have to configure your SSL certificates for use with remote Windows PowerShell.

Digital certificates best practices

Although the configuration of your organization's digital certificates will vary based on its specific needs, information about best practices has been included to help you choose the digital certificate configuration that's right for you.

Best practice: Use a trusted third-party certificate

To prevent clients from receiving errors regarding untrusted certificates, the certificate that's used by your Exchange server must be issued by someone that the client trusts. Although most clients can be configured to trust any certificate or certificate issuer, it's simpler to use a trusted third-party certificate on your Exchange server. This is because most clients already trust their root certificates. There are several third-party certificate issuers that offer certificates configured specifically for Exchange. You can use the EAC to generate certificate requests that work with most certificate issuers.

How to select a certification authority

A certification authority (CA) is a company that issues and ensures the validity of certificates. Client software (for example, browsers such as Microsoft Internet Explorer, or operating systems such as Windows or Mac OS) have a built-in list of CAs they trust. This list can usually be configured to add and remove CAs, but that configuration is often cumbersome. Use the following criteria when you select a CA to buy your certificates from:

• Ensure the CA is trusted by the client software (operating systems, browsers, and mobile phones) that will connect to your Exchange servers.

• Choose a CA that says it supports 'Unified Communications certificates' for use with Exchange server.

• Make sure that the CA supports the kinds of certificates that you'll use. Consider using subject alternative name (SAN) certificates. Not all CAs support SAN certificates, and other CAs don't support as many host names as you might need.

• Make sure that the license you buy for the certificates allows you to put the certificate on the number of servers that you intend to use. Some CAs only allow you to put a certificate on one server.

• Compare certificate prices between CAs.

Best practice: Use SAN certificates

Depending on how you configure the service names in your Exchange deployment, your Exchange server may require a certificate that can represent multiple domain names. Although a wildcard certificate, such as one for *.contoso.com, can resolve this problem, many customers are uncomfortable with the security implications of maintaining a certificate that can be used for any subdomain. A more secure alternative is to list each of the required domains as SANs in the certificate. By default, this approach is used when certificate requests are generated by Exchange.

Best practice: Use the Exchange certificate wizard to request certificates

There are many services in Exchange that use certificates. A common error when requesting certificates is to make the request without including the correct set of service names. The certificate wizard in the Exchange admin center will help you include the correct list of names in the certificate request. The wizard lets you specify which services the certificate has to work with and, based on the services selected, includes the names that you must have in the certificate so that it can be used with those services. Run the certificate wizard when you've deployed your initial set of Exchange 2013 servers and determined which host names to use for the different services for your deployment. Ideally you'll only have to run the certificate wizard one time for each Active Directory site where you deploy Exchange.

Instead of worrying about forgetting a host name in the SAN list of the certificate that you purchase, you can use a certification authority that offers, at no charge, a grace period during which you can return a certificate and request the same new certificate with a few additional host names.

Best practice: Use as few host names as possible

In addition to using as few certificates as possible, you should also use as few host names as possible. This practice can save money. Many certificate providers charge a fee based on the number of host names you add to your certificate.

The most important step you can take to reduce the number of host names that you must have and, therefore, the complexity of your certificate management, is not to include individual server host names in your certificate's subject alternative names.

The host names you must include in your Exchange certificates are the host names used by client applications to connect to Exchange. The following is a list of typical host names that would be required for a company named Contoso:

• Mail.contoso.com: This host name covers most connections to Exchange, including Microsoft Outlook, Outlook Web App, Outlook Anywhere, the Offline Address Book, Exchange Web Services, POP3, IMAP4, SMTP, Exchange Control Panel, and ActiveSync.

• Autodiscover.contoso.com: This host name is used by clients that support Autodiscover, including Microsoft Office Outlook 2007 and later versions, Exchange ActiveSync, and Exchange Web Services clients.

• Legacy.contoso.com: This host name is required in a coexistence scenario with Exchange 2007 and Exchange 2013. If you'll have clients with mailboxes on Exchange 2007 and Exchange 2013, configuring a legacy host name prevents your users from having to learn a second URL during the upgrade process.

Understanding wildcard certificates

A wildcard certificate is designed to support a domain and multiple subdomains. For example, configuring a wildcard certificate for *.contoso.com results in a certificate that will work for mail.contoso.com, web.contoso.com, and autodiscover.contoso.com.

Updated by LinodeWritten by Linode

Try this guide out by signing up for a Linode account with a $20 credit.

Contribute on GitHub

Report an Issue |View File |Edit File

Password authentication is the default method most SSH (Secure Shell) clients use to authenticate with remote servers, but it suffers from potential security vulnerabilities, like brute-force login attempts. An alternative to password authentication is public key authentication, in which you generate and store on your computer a pair of cryptographic keys and then configure your server to recognize and accept your keys. Using key-based authentication offers a range of benefits:

• Key-based login is not a major target for brute-force hacking attacks.

• If a server that uses SSH keys is compromised by a hacker, no authorization credentials are at risk of being exposed.

• Because a password isn’t required at login, you are able to able to log in to servers from within scripts or automation tools that you need to run unattended. For example, you can set up periodic updates for your servers with a configuration management tool like Ansible, and you can run those updates without having to be physically present.

This guide will explain how the SSH key login scheme works, how to generate an SSH key, and how to use those keys with your Linode.

Note

If you’re unfamiliar with SSH connections, review the Getting Started with Linode guide.

How SSH Keys Work

SSH keys are generated in pairs and stored in plain-text files. The key pair (or keypair) consists of two parts:

• A private key, usually named id_rsa. The private key is stored on your local computer and should be kept secure, with permissions set so that no other users on your computer can read the file.

  Caution

• A public key, usually named id_rsa.pub. The public key is placed on the server you intend to log in to. You can freely share your public key with others. If someone else adds your public key to their server, you will be able to log in to that server.

When a site or service asks for your SSH key, they are referring to your SSH public key (id_rsa.pub). For instance, services like GitHub and Gitlab allow you to place your SSH public key on their servers to streamline the process of pushing code changes to remote repositories.

The authorized_keys File

In order for your Linode to recognize and accept your key pair, you will need to upload your public key to your server. More specifically, you will need to upload your public key to the home directory of the user you would like to log in as. If you would like to log in to more than one user on the server using your key pair, you will need to add your public key to each of those users.

Force System To Use Self Generated Public Key Mac

To set up SSH key authentication for one of your server’s users, add your public key to a new line inside the user’s authorized_keys file. This file is stored inside a directory named .ssh/ under the user’s home folder. A user’s authorized_keys file can store more than one public key, and each public key is listed on its own line. If your file contains more than one public key, then the owner of each key listed will be able to log in as that user.

Granting Someone Else Access to your Server

To give someone else access to your server’s user, simply add their public key on a new line in your authorized_keys file, just as you would add your own. To revoke access for that person, remove that same line and save the changes.

Challenge-Response

When logging in to a server using SSH, if there is a public key on file on that server, the server will create a challenge. This challenge will be crafted in such a way that only the holder of the private SSH key will be able to decipher it.

This challenge-response action happens without any user interaction. If the person attempting to log in has the corresponding private key, then they will be safely logged in. If not, the login will either fail or fall back to a password-based authentication scheme.

SSH Key Passphrases

You can optionally provide an additional level of security for your SSH keys by encrypting them with a passphrase at the time of creation. When you attempt to log in using an encrypted SSH key, you will be prompted to enter its passphrase. This is not to be confused with a password, as this passphrase only decrypts the key file locally and is not transferred over the Internet as a password might be.

If you’d like to set up your logins so that they require no user input, then creating a passphrase might not be desirable, but it is strongly recommended nevertheless.

Linux and macOS

Generate a Key Pair

Perform the steps in this section on your local machine.

1. Create a new key pair.

   Caution

   This command will overwrite an existing RSA key pair, potentially locking you out of other systems.

   If you’ve already created a key pair, skip this step. To check for existing keys, run ls ~/.ssh/id_rsa*.

   If you accidentally lock yourself out of the SSH service on your Linode, you can still use the Lish console to login to your server. After you’ve logged in via Lish, update your authorized_keys file to use your new public key. This should re-establish normal SSH access.

2. The -b flag instructs ssh-keygen to increase the number of bits used to generate the key pair, and is suggested for additional security.

3. Press Enter to use the default names id_rsa and id_rsa.pub in the /home/your_username/.ssh directory before entering your passphrase.

4. While creating the key pair, you will be given the option to encrypt the private key with a passphrase. This means that the key pair cannot be used without entering the passphrase (unless you save that passphrase to your local machine’s keychain manager). We suggest that you use the key pair with a passphrase, but you can leave this field blank if you don’t want to use one.

Upload your Public Key

There are a few different ways to upload your public key to your Linode from Linux and macOS client systems:

Using ssh-copy-id

ssh-copy-id is a utility available on some operating systems that can copy a SSH public key to a remote server over SSH.

1. To use ssh-copy-id, pass your username and the IP address of the server you would like to access:

2. You’ll see output like the following, and a prompt to enter your user’s password:

3. Verify that you can log in to the server with your key.

Using Secure Copy (scp)

Secure Copy (scp) is a tool that copies files from a local computer to a remote server over SSH:

Caution

These instructions will overwrite any existing contents of the authorized_keys file on your server. If you have already set up other public keys on your server, use the ssh-copy-id command or enter your key manually.

1. Connect to your server via SSH with the user you would like to add your key to: Generate key hash android facebook windows 10.

2. Create the ~/.ssh directory and authorized_keys file if they don’t already exist:

3. Give the ~/.ssh directory and authorized_keys files appropriate file permissions:

4. In another terminal on your local machine, use scp to copy the contents of your SSH public key (id_rsa.pub) into the authorized_keys file on your server. Substitute in your own username and your server’s IP address:

5. Verify that you can log in to the server with your key.

Manually Copy an SSH Key

You can also manually add an SSH key to a server:

1. Begin by copying the contents of your public SSH key on your local computer. You can use the following command to output the contents of the file:

   You should see output similar to the following:

   Note that the public key begins with ssh-rsa and ends with [email protected].

2. Once you have copied that text, connect to your server via SSH with the user you would like to add your key to:

3. Create the ~/.ssh directory and authorized_keys file if they don’t already exist:

4. Give the ~/.ssh directory and authorized_keys files appropriate file permissions:

5. Open the authorized_keys file with the text editor of your choice (nano, for example). Then, paste the contents of your public key that you copied in step one on a new line at the end of the file.

6. Save and close the file.

   Note

   If you initially logged into the server as root but edited the authorized_keys file of another user, then the .ssh/ folder and authorized_keys file of that user may be owned by root. Set that other user as the files’ owner:

7. Verify that you can log in to the server with your key.

Connect to the Remote Server

1. SSH into the server from your local machine:

2. If you chose to use a passphrase when creating your SSH key, you will be prompted to enter it when you attempt to log in. Depending on your desktop environment, a window may appear:

   Caution
   Do not allow the local machine to remember the passphrase in its keychain unless you are on a private computer which you trust.
3. You may also see the passphrase prompt at your command line:

4. Enter your password. You should see the connection establish in the local terminal.

Windows

The following instructions use the PuTTY software to connect over SSH, but other options are available on Windows too.

Generate a Key Pair with PuTTY

1. Download PuTTYgen (puttygen.exe) and PuTTY (putty.exe) from the official site.

2. Launch puttygen.exe. The RSA key type at the bottom of the window is selected by default for an RSA key pair but ED25519 (EdDSA using Curve25519) is a comparable option if your remote machine’s SSH server supports DSA signatures. Do not use the SSH-1(RSA) key type unless you know what you’re doing.

3. Increase the RSA key size from 2048 bits 4096 and click Generate:

4. PuTTY uses the random input from your mouse to generate a unique key. Once key generation begins, keep moving your mouse until the progress bar is filled:

5. When finished, PuTTY will display the new public key. Right-click on it and select Select All, then copy the public key into a Notepad file.

6. Save the public key as a .txt file or some other plaintext format. This is important–a rich text format such as .rtf or .doc can add extra formatting characters and then your private key won’t work:

7. Enter a passphrase for the private key in the Key passphrase and Confirm passphrase text fields. Important: Make a note of your passphrase, you’ll need it later:

8. Click Save private key. Choose a file name and location in Explorer while keeping the ppk file extension. If you plan to create multiple key pairs for different servers, be sure to give them different names so that you don’t overwrite old keys with new:

Manually Copy the SSH Key with PuTTY

1. Launch putty.exe. Find the Connection tree in the Category window, expand SSH and select Auth. Click Browse and navigate to the private key you created above:

2. Scroll back to the top of the Category window and click Session. Enter the hostname or IP address of your Linode. PuTTY’s default TCP port is 22, the IANA assigned port for for SSH traffic. Change it if your server is listening on a different port. Name the session in the Saved Sessions text bar and click Save:

3. Click the Open button to establish a connection. You will be prompted to enter a login name and password for the remote server.

4. Once you’re logged in to the remote server, configure it to authenticate with your SSH key pair instead of a user’s password. Create an .ssh directory in your home directory on your Linode, create a blank authorized_keys file inside, and set their access permissions:

5. Open the authorized_keys file with the text editor of your choice (nano, for example). Then, paste the contents of your public key that you copied in step one on a new line at the end of the file.

6. Save, close the file, and exit PuTTY.

7. Verify that you can log in to the server with your key.

Using WinSCP

Uploading a public key from Windows can also be done using WinSCP:

Caution

These instructions will overwrite any existing contents of the authorized_keys file on your server. If you have already set up other public keys on your server, use the PuTTY instructions instead.

1. In the login window, enter your Linode’s public IP address as the hostname, the user you would like to add your key to, and your user’s password. Click Login to connect.

2. Once connected, WinSCP will show two file tree sections. The left shows files on your local computer and the right shows files on your Linode. Using the file explorer on the left, navigate to the file where you saved your public key in Windows. Select the public key file and click Upload in the toolbar above.

3. You’ll be prompted to enter a path on your Linode where you want to upload the file. Upload the file to /home/your_username/.ssh/authorized_keys.

4. Verify that you can log in to the server with your key.

Connect to the Remote Server with PuTTY

Start PuTTY and Load your saved session. You’ll be prompted to enter your server user’s login name as before. However, this time you will be prompted for your private SSH key’s passphrase rather than the password for your server’s user. Enter the passphrase and press Enter.

Troubleshooting

If your SSH connections are not working as expected, or if you have locked yourself out of your system, review the Troubleshooting SSH guide for troubleshooting help.

Upload your SSH Key to the Cloud Manager

It is possible to provision each new Linode you create with an SSH public key automatically through the Cloud Manager.

1. Log in to the Cloud Manager.

2. Click on your username at the top right hand side of the page. Then click on My Profile in the dropdown menu that appears:

   Note
   If you are viewing the Cloud Manager in a smaller browser window or on a smaller device, then the My Profile link will appear in the sidebar links. To view the sidebar links, click on the disclosure button to the left of the blue Create button at the top of the page.

3. From the My Profile page, select the SSH Keys tab, and then click Add a SSH Key:

4. Create a label for your key, then paste in the contents of your public SSH key (id_rsa.pub):

5. Click Add Key.

6. When you next create a Linode you’ll be given the opportunity to include your SSH key in the Linode’s creation. This key will be added to the root user of the new Linode.

   In the Create Linode form, select the SSH key you’d like to include. This field will appear below the Root Password field:

Next Steps

After you set up your SSH keys and confirm they are working as expected, review the How to Secure Your Server guide for instructions on disabling password authentication for your server.

Join our Community

Please enable JavaScript to view the comments powered by Disqus.comments powered by Disqus

This guide is published under a CC BY-ND 4.0 license.