How to create an RSA private key for SSH logins

Advanced users may want to use a SSH terminal to manage their account files. This is a great option for granting developers access to your account without sharing the account password because each RSA public/private key pair has its own password. Additionally, through cpanel, you can enable/disable keys to manage access by your 3rd party developers.

Setting up SSH keys is a two step process.  First setup the key within cPanel. Then add the key to your SSH client.

Creating SSH Key Pairs With cPanel

First, login to your cpanel account.

Go to the Security section and click SSH Access.

Click Manage SSH Keys.

Click Generate a New Key.

The Key Name can be any text. I like to append the person’s name to it for quick identification. For example: id_rsa_brian.

Enter a strong password into the Key Password and Reenter Password fields.

Key Type and Key Size can remain at the default values.

Click Generate Key.

A success message will be displayed.  Click Go Back to return to the Manage SSH Keys area.

Enabling SSH Keys

The creation process only makes the SSH key pair.  For security, it defaults to being not authorized to access your account.

To activate the key, click the Manage link next to the key.

cpanel-manage-public-keys

Click the Authorize button to enable the key pair.

Similarly, these steps can be reversed to Deauthorize the key.

Setting Up the SSH Key for Command Line Users

Now that we have the key created, we need to install it locally for our SSH client.

These instructions are for the ssh command line client — people using linux or macos terminals. The setup for putty on Windows is similar.

You will want the Private Key for your client.

Click the View/Download link next to the private key.

cpanel-view-download-private-keys

Click Download Key to download the key as a file. When saving the file, add a .pem extension to the file for easy management. (e.g. id_rsa_test.pem)

VERY IMPORTANT: Treat this key file like a password. Never upload it to a public site on the internet. (especially not github)

Move this file to the .ssh folder in your home directory. (aka ~/.ssh) If this folder does not exist, create it before moving the file.

You have the option of manually specifying the .pem key file when connecting each time:

We can use the ssh client config file to automatically associate the private key to your domain-name.

Inside of the ~/.ssh folder, create or edit a file named config.

Add the following 2 lines to config:

SSH is very particular about file permissions. You will want to lock down the filesystem permissions to these files:

Now connecting via ssh is as easy as standard password authentication:

The password to use is the password associated with the private key. If the key password is forgotten, you need to restart by deleting the key and creating a new one.

Please note that while you can have multiple keys with different passwords, you will always use your cPanel username to sign-in to the account.

 

PuTTY Users

PuTTY users can also download and import the SSH private key.  The difference is that you will use the “Convert the “id_rsa_test” key to PPK format” feature on the Private Key Download page to obtain the file in a format the PuTTY understands.