How to Generate SSH Keys for Your Web Host
Secure SHell (SSH) allows secure data communication and is very important when dealing with website security. If your website were a locked vault, you would need the SSH key to gain access.
Generating SSH Keys is fairly simple in any control panel and the information required is always the same. Here’s how it’s done in cPanel and WHM:
In cPanel, click SSH/Shell Access, then Manage SSH Keys; in WHM, click Manage root’s SSH Keys, then Generate Key.
Provide a name for the key.
This name is for your benefit in the future so you know which key is which. Name it something which will be self-explanatory to you when you return in the future.
Type a password for your key, and then confirm it in the next box.
Using the password generator will give you a very secure password, but it will be hard for you to remember if you ever need it in the future. The password strength indicator shows you how strong your password is. The system can be set to only allow passwords over a certain strength.
Now select the key type.
This is either Digital Signature Algorithm (DSA) or RSA (RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman, the original creators of the algorithm). Both are encryption algorithms. DSA generates keys faster, but RSA is faster for verification when you log back in again. Which you choose is up to you.
Select your choice of Key Size from the drop-down box.
The key size can be 1024, 2048 or 4096; this is the length (in characters) of the key. The longer the key, the more secure it is. It is recommended that you use at least 2048 for RSA key types and always use the highest number possible to make the key as secure as possible.
Click Generate Key.
This returns you to the list of keys that have been generated. If your new key does not appear in the list, then your user has not been granted SSH access.
Keys must be authorized before they can be used, so under Public Keys, click Manage Authorization in the list of keys.
The next screen tells you that key is not currently authorized for use to connect to this account.
Change that by clicking Authorize. Likewise, you can deauthorize a key using the same method.
You can generate multiple keys for each username. If a number of people log in using the same username, you can generate a key for each person so that if any damage is done in the future, you can see which key was used to log in.
Having multiple keys for each username can also be useful if you log in from multiple locations. You can generate a separate key to use at each location, so if one key is compromised you know which location is the source of the problem, and you can strengthen your security there.
Download your private key by clicking the View/Download key under private keys.
This will display your key.
You can either copy and paste the text into a file you create on your own computer or you can click Download Key to download a text file.
Depending on how you are connecting using SSH, you may require a key in Putty Private Key (PPK) format, the format used by PuTTY to store keys. If so, type the password you used when creating the key into the box and click Convert. This generates the key in PPK format for you to copy and paste or download as necessary.
If your SSH software has generated a set of keys for you, import these keys through the key manager by clicking the Import Key button.
In some control panels — such as the latest version of WHM — you cannot directly add or delete keys for other users. You can, however, delete the keys by navigating to the .ssh directory within the user’s home directory. Deleting any files in there with a .pub extension will stop the user from being able to authenticate that key in the future.
You can also add security to SSH by changing the port required to connect to the server via SSH. The default port number is 22.
It may be tempting to simply disable the SSH service altogether. Although this is possible and shouldn’t damage your system, it may make your system harder to administer in the event of a failure. Very occasionally, major errors occur, and the only way to fix them is through SSH. If that is the case, there would be no way to restart the SSH service to allow you to connect.