{"id":8030,"date":"2025-03-19T10:48:01","date_gmt":"2025-03-19T10:48:01","guid":{"rendered":"https:\/\/cloudvpshosts.com\/kb\/?p=8030"},"modified":"2025-03-19T10:48:01","modified_gmt":"2025-03-19T10:48:01","slug":"setting-up-an-ssh-key","status":"publish","type":"post","link":"https:\/\/cloudvpshosts.com\/kb\/setting-up-an-ssh-key\/","title":{"rendered":"Setting up an SSH key"},"content":{"rendered":"<div id=\":w6\" class=\"Am aiL Al editable LW-avf tS-tW tS-tY\" tabindex=\"1\" role=\"textbox\" contenteditable=\"true\" spellcheck=\"false\" aria-label=\"Message Body\" aria-multiline=\"true\" aria-owns=\":11x\" aria-controls=\":11x\" aria-expanded=\"false\">\n<div dir=\"ltr\">\n<div dir=\"ltr\">\n<div>\n<h2 id=\"m_2309985735518863511gmail-introduction\">Introduction<\/h2>\n<p>In this tutorial you will learn how to work with an SSH key. This will include generating an SSH key pair, copying the public key to a remote device and deleting an SSH key pair.<\/p>\n<p>SSH key explained<\/p>\n<p>Secure Shell (SSH) is a network protocol that is used for encrypted communication between two devices. To establish an SSH connection, you can either use a password or an SSH key for authentication. A single SSH key pair has two components, a private key and a public key. Each key consists of a long string of characters.<\/p>\n<ul>\n<li>The public key uses a specific algorithm to encrypt messages.<\/li>\n<li>The private key uses a specific algorithm to decrypt messages.<\/li>\n<\/ul>\n<p>Only a private key can decrypt messages that have been encrypted with a public key and both keys have to be part of the same key pair. The public key is saved on all remote devices you want to connect to via the key. This means that anyone in possession of your private key can also decrypt all messages from that device. For this reason, the private key should always be kept secret and never be shared. One of the advantages of this authentication method is that it is more secure than passwords.<\/p>\n<p>SSH keys allow to automatically authenticate connections. There are mainly 4 steps:<\/p>\n<ol>\n<li>The public key of the client has to be on the server.<\/li>\n<li>The server uses the public key to encrypt a random message that is then sent to the client.<\/li>\n<li>The client uses the private key to decrypt the message.<\/li>\n<li>If the message has been decrypted correctly, the connection is authenticated.<\/li>\n<\/ol>\n<p><img decoding=\"async\" src=\"https:\/\/ci3.googleusercontent.com\/meips\/ADKq_NaIBbQ5rGtTbzfRIzsOv7VZG7TB6ph2E4X7pbngEDwcvVyyHv4B8kUyIp9yzN-QMLl9zKlgjcbV-FYMurWqydrfOSCrEEVRuMrlUsDdzGDGX3RhCxe0GneL20U5Mga2hA=s0-d-e1-ft#https:\/\/community.hetzner.com\/fa8d004974c9f9119dac9036fcdeb518\/ssh-key.gif\" alt=\"ssh\" \/>Prerequisites<\/p>\n<ul>\n<li>Basic knowledge about the Hetzner Cloud<\/li>\n<li>CLI tool<\/li>\n<\/ul>\n<p>Example terminology<\/p>\n<ul>\n<li>Username: holu<\/li>\n<li>IPv4: &lt;10.0.0.1&gt;<\/li>\n<\/ul>\n<p>Please replace\u00a0<code>holu<\/code>\u00a0with your username and\u00a0<code>&lt;10.0.0.1&gt;<\/code>\u00a0with your own IP address in all example commands.<\/p>\n<h2 id=\"m_2309985735518863511gmail-step-1---generating-an-ssh-key\">Step 1 \u2013 Generating an SSH key<\/h2>\n<p>To create an SSH key on your local device, please open your CLI. Generally, it is enough to run\u00a0<code>ssh-keygen<\/code>\u00a0without any other specifications. This will create an\u00a0<code>RSA<\/code>\u00a0key by default.<\/p>\n<pre><code>ssh-keygen<\/code><\/pre>\n<p>It is also possible to provide additional information about key type and key size.<\/p>\n<p>Options:<\/p>\n<ul>\n<li><code>-t<\/code>\u00a0specifies the key type<\/li>\n<li><code>-b<\/code>\u00a0specifies the key size<\/li>\n<\/ul>\n<p>Type:<\/p>\n<ul>\n<li><code>rsa<\/code><\/li>\n<li><code>ed25519<\/code><\/li>\n<li><code>dsa<\/code><\/li>\n<li><code>ecdsa<\/code><\/li>\n<\/ul>\n<p>Depending on the type, different algorithms are used. DSA and ECDSA both include a parameter (<code>k<\/code>) that can be problematic in terms of security. If the same parameter is used twice, attackers can use this information to recover the\u00a0private key. Mathematically, Ed25519 is probably one of the strongest keys. If your device does not support this key, you can also generate an RSA key.<\/p>\n<ol>\n<li>Ed25519 keyEd25519 is considered to be very secure. It is supported by OpenSSH 6.5 (2014) and all versions that followed. If your device does support this key, we recommend using it. The key size is fixed and cannot be changed.<code>$ ssh-keygen -t ed25519<\/code><\/li>\n<li>RSA keyCompared to other keys, RSA can be considered to be relatively old. It is not quite as secure as an Ed25519 key. RSA has a default key size of 3072 bits and should never be under 1024 bits. To increase security, you can set the key size to be 4096 bits.<code>$ ssh-keygen -t rsa -b 4096<\/code><\/li>\n<li>ECDSA keyECDSA is supported by OpenSSH 5.7 (2011) and all versions that followed. You can set the key size to be 256, 384 or 521 bits. The default setting is 256 bits.<\/li>\n<li>DSA keyDSA is considered to be relatively insecure. Support ended with OpenSSH 7.0 (2017). The key size is fixed as 1024 bits and cannot be changed.<\/li>\n<\/ol>\n<p>Once you run the command to generate an SSH key, you should get an output that looks like this:<\/p>\n<pre><code>Generating public\/private &lt;type&gt; key pair.\r\nEnter file in which to save the key (\/&lt;your_home&gt;\/.ssh\/id_&lt;type&gt;):<\/code><\/pre>\n<p>The default location to save the key is\u00a0<code>\/&lt;your_home&gt;\/.ssh\/id_&lt;type&gt;<\/code><wbr \/>. You can press\u00a0<code>ENTER<\/code>\u00a0to confirm the default setting or specify another location. If possible, you should keep the default. This way, the SSH client will be able to find the key automatically when authenticating. If you already have an SSH key of the same type, you might get something like this:<\/p>\n<pre><code>\/home\/your_home\/.ssh\/id_&lt;type&gt; already exists.\r\nOverwrite (y\/n)?<\/code><\/pre>\n<p>If you enter\u00a0<code>y<\/code>, the existing SSH key will be overwritten and you will no longer be able to use it.<\/p>\n<p>Once the location is set, you should be asked to set a passphrase.<\/p>\n<pre><code>Enter passphrase (empty for no passphrase):\r\nEnter same passphrase again:<\/code><\/pre>\n<p>A passphrase increases security even further. If you set a passphrase, you will be asked to enter it every time you use your key. If you press\u00a0<code>ENTER<\/code>\u00a0without entering a passphrase, your SSH key will not have a passphrase. Output:<\/p>\n<pre><code>Your identification has been saved in \/&lt;your_home&gt;\/.ssh\/id_&lt;type&gt;\r\nYour public key has been saved in \/&lt;your_home&gt;\/.ssh\/id_&lt;type&gt;.<wbr \/>pub<\/code><\/pre>\n<p>The SSH key has now been generated and has been saved in the location you set earlier.<\/p>\n<h2 id=\"m_2309985735518863511gmail-step-2---opening-the-ssh-key\">Step 2 \u2013 Opening the SSH key<\/h2>\n<p>When you generate an SSH key, an SSH directory with several files is created too. Important files include:<\/p>\n<ul>\n<li><code>id_&lt;type&gt;<\/code><\/li>\n<li><code>id_&lt;type&gt;.pub<\/code><\/li>\n<li><code>authorized_keys<\/code><\/li>\n<\/ul>\n<p>The\u00a0<code>id_&lt;type&gt;<\/code>\u00a0file is for the\u00a0private key. This file should never be shared with anyone else.<\/p>\n<p>The\u00a0<code>id_&lt;type&gt;.pub<\/code>\u00a0file is for the\u00a0public key. This is the part you have to share with remote devices you want to connect to via an SSH key. On those remote devices, the public key will be saved in the\u00a0<code>authorized_keys<\/code>\u00a0file.<\/p>\n<p>The\u00a0<code>authorized_keys<\/code>\u00a0file is for\u00a0public keys\u00a0of all devices that are allowed to connect to the device via an SSH key. The format of this file is one key per line. It is not possible to connect to a remote device via an SSH key, unless the\u00a0public key\u00a0is in this file.<\/p>\n<p>Use the following command to open the SSH directory:<\/p>\n<pre><code>cd ~\/.ssh<\/code><\/pre>\n<p>You can use\u00a0<code>ls<\/code>\u00a0to list all files within the directory. You can open the files with\u00a0<code>cat<\/code>\u00a0followed by the filename. You can use the following command to open your public key:<\/p>\n<pre><code>cat id_&lt;type&gt;.pub<\/code><\/pre>\n<p>Please replace\u00a0<code>&lt;type&gt;<\/code>\u00a0with the actual name of your file.<\/p>\n<h2 id=\"m_2309985735518863511gmail-step-3---connecting-to-the-server\">Step 3 \u2013 Connecting to the server<\/h2>\n<p>Three important SSH key files have already been explained in step 2. But there is one other file that should also be mentioned.<\/p>\n<ul>\n<li><code>known_hosts<\/code><\/li>\n<\/ul>\n<p>This file is needed when you connect to another device. Every remote device has a unique fingerprint that is saved in this file. If you connect to your server for the\u00a0first time, you should be aware of a few things. Connect via SSH:<\/p>\n<pre><code>$ ssh holu@&lt;10.0.0.1&gt;<\/code><\/pre>\n<p>Please replace\u00a0<code>holu<\/code>\u00a0with your own username and\u00a0<code>&lt;10.0.0.1&gt;<\/code>\u00a0with your own IP address.<\/p>\n<p>The first time you connect to your server, there will be a warning about\u00a0<i>host authenticity<\/i>. You can enter\u00a0<i>yes<\/i>. The fingerprint shown in the warning will be saved locally in the\u00a0<code>known_hosts<\/code>\u00a0file and it will automatically be recognized in the future when you try to connect to this IP address. You can think of this fingerprint as a unique identifier of the server. Usually, this fingerprint should never change. However, if you delete your cloud server, for example, this fingerprint will no longer be valid. The fingerprint does not get removed from the\u00a0<code>known_hosts<\/code>\u00a0file automatically. If you try to connect to this IP address after the fingerprint has changed, the remote device will send the new fingerprint to your system but it will no longer match the one in your\u00a0<code>known_hosts<\/code>\u00a0file. Your system will identify the old fingerprint in your\u00a0<code>known_hosts<\/code>\u00a0file as\u00a0invalid\u00a0and you will see a warning like this:<\/p>\n<pre><code>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<wbr \/>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<wbr \/>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\nIT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!\r\nSomeone could be eavesdropping on you right now (man-in-the-middle attack)!\r\nIt is also possible that a host key has just been changed.\r\nThe fingerprint for the ECDSA key sent by the remote host is\r\nSHA256:XEBOdibbPpSSWWZZ+<wbr \/>0VO6ayoCjFghKys0FfVE6EDWZz.\r\nPlease contact your system administrator.\r\nAdd correct host key in \/home\/user\/.ssh\/known_hosts to get rid of this message.\r\nOffending ECDSA key in \/home\/user\/.ssh\/known_hosts:7\r\n  remove with:\r\n  ssh-keygen -f \"\/home\/user\/.ssh\/known_hosts\" -R \"&lt;10.0.0.1&gt;\"\r\nECDSA host key for &lt;10.0.0.1&gt; has changed and you have requested strict checking.\r\nHost key verification failed.<\/code><\/pre>\n<p>If there is no warning, you can continue with step 4.<\/p>\n<p>If you do get a warning but you have not made any drastic changes on your remote system, you should take this warning seriously and find out more about the reason for this warning.<\/p>\n<p>If you do get a warning and you know the reason for it (e.g. deleted the cloud server), you can remove the old fingerprint from the\u00a0<code>known_hosts<\/code>\u00a0file. There are two ways to do that:<\/p>\n<ul>\n<li>One way to remove the old fingerprint from the\u00a0<code>known_hosts<\/code>\u00a0file is to use the command given in the warning:<code>ssh-keygen -f \"\/home\/user\/.ssh\/known_hosts\" -R \"&lt;10.0.0.1&gt;\"<\/code>Output:<code># Host &lt;10.0.0.1&gt; found: line 7 \/home\/user\/.ssh\/known_hosts updated. Original contents retained as \/home\/user\/.ssh\/known_hosts.<wbr \/>old user@DESKTOP-KS9IKCH:\/mnt\/c\/<wbr \/>Users\/user$<\/code>This method does not only remove the fingerprint from the file but also saves this fingerprint in\u00a0<code>known_hosts.old<\/code>\u00a0in case you need it again.If you do not need a copy of the original\u00a0<code>known_hosts<\/code>\u00a0file, you can delete the\u00a0<code>known_hosts.old<\/code>\u00a0file and all its contents with\u00a0<code>rm -v known_hosts.old<\/code>\u00a0or you can use the second way to remove the fingerprint from the\u00a0<code>known_hosts<\/code>\u00a0file manually. Once the invalid fingerprint has been removed from the file, you can user\u00a0<code>ssh holu@&lt;10.0.0.1&gt;<\/code>\u00a0to connect to your server again. This time, there should only be a warning about\u00a0<i>host authenticity<\/i>. You can enter\u00a0<i>yes<\/i>\u00a0to save the new fingerprint in the\u00a0<code>known_hosts<\/code>\u00a0file.<\/li>\n<li>Another way to remove the fingerprint from the\u00a0<code>known_hosts<\/code>\u00a0file is doing it manually. If you have more than one fingerprint in your file, you can refer to the warning. The line\u00a0<code>Offending ECDSA key in \/home\/user\/.ssh\/known_hosts:7<\/code>\u00a0<wbr \/>states in which line the fingerprint is saved. In this example it is line 7. Alternatively, you can also use to following command to display the whole fingerprint:<code>ssh-keygen -H -F &lt;10.0.0.1&gt;<\/code>Please replace\u00a0<code>&lt;10.0.0.1&gt;<\/code>\u00a0with your own IP address.Output:<code># Host &lt;10.0.0.1&gt; found: line 7 |1|vlQvhfjekla23lPqnDMjklop5E=<wbr \/>|343Pfd964BZxg3kfdIEYKLue42uQ= ecdsa-sha2-nistp256 AAAAE2VjZHjklJKLYTItbmfdsKAyNT<wbr \/>YAAAAIbmlzJKLDDDAAABBBOyVkmJKS<wbr \/>Shh7Q\/<wbr \/>do3InvWpiCZUavyko8FzBs7G+<wbr \/>KhaP8X0xshjkldJJDSARqQF0IURm4j<wbr \/>kl322sYn8OkIIl2tdzPeUMc=<\/code>In the output of this example you can see the full fingerprint to the IP address. It also shows that it is in line 7 of the\u00a0<code>known_hosts<\/code>\u00a0file. You can now use\u00a0<code>nano<\/code>\u00a0to open and edit the\u00a0<code>known_hosts<\/code>\u00a0file.<code>$ nano ~\/.ssh\/known_hosts<\/code>Next, you can remove the old fingerprint to the IP address. Once you are done, you can use\u00a0<code>CTRL<\/code>+<code>X<\/code>\u00a0to save the file,\u00a0<code>Y<\/code>\u00a0to confirm and\u00a0<code>ENTER<\/code>\u00a0to close the file.Now that the invalid fingerprint has been removed, you can enter\u00a0<code>ssh holu@&lt;10.0.0.1&gt;<\/code>\u00a0to try to connect to your server. This time, there should only be a warning about\u00a0<i>host authenticity<\/i>. You can enter\u00a0<i>yes<\/i>\u00a0to save the new fingerprint in the\u00a0<code>known_hosts<\/code>\u00a0file.<\/li>\n<\/ul>\n<h2 id=\"m_2309985735518863511gmail-step-4---adding-an-ssh-key-to-a-server\">Step 4 \u2013 Adding an SSH key to a server<\/h2>\n<p>Once you know how to generate an SSH key and how to connect to the remote device, you can add the public key to your remote device. Please note that you will have to authenticate. This means that you will have to know your password or, if you are using another SSH key, that the corresponding public key must have already been added to the user.<\/p>\n<p>There are several ways to add an SSH key to a remote device. Probably the easiest way to do this is using the\u00a0<code>ssh-copy-id<\/code>\u00a0command. If you cannot use this command, you can use one of the following options instead.<\/p>\n<table>\n<thead>\n<tr>\n<th><\/th>\n<th>Commands<\/th>\n<th>Requirements<\/th>\n<th><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Option 1<\/td>\n<td><code>ssh-copy-id<\/code><\/td>\n<td>Logged in on the local device (Client)<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>Option 2<\/td>\n<td><code>cat<\/code>\u00a0<code>mkdir<\/code><\/td>\n<td>Logged in on the local device (Client)<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>Option 3<\/td>\n<td><code>cd<\/code>\u00a0<code>cat<\/code><code>nano<\/code><\/td>\n<td>Logged in on the local device (Client)<\/td>\n<td>Logged in on the remote device (Server)<\/td>\n<\/tr>\n<tr>\n<td>Option 4<\/td>\n<td><code>rsync<\/code><\/td>\n<td><\/td>\n<td>Logged in on the remote device (Server)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>With\u00a0options 1\u00a0and\u00a02\u00a0the public key is automatically copied from your local device (client) and automatically pasted to the\u00a0<code>authorized_keys<\/code>\u00a0file on your remote device (server).<\/p>\n<p>With\u00a0option 3\u00a0the public key is manually copied from your local device (client) and manually pasted to the\u00a0<code>authorized_keys<\/code>\u00a0file on your remote device (server).<\/p>\n<p>With\u00a0option 4\u00a0the whole SSH directory of one user (user 1) on your remote device (server) is copied to another user (user 2) on your remote device (server). For this option, you must have already added your public key to user 1, for example with one of the other three options.<\/p>\n<p>It is enough to choose\u00a0one\u00a0of the four options above and to skip the other ones.<\/p>\n<h4 id=\"m_2309985735518863511gmail-option-1\">Option 1<\/h4>\n<p>This option is probably the easiest of them all. If you only have one single SSH key, you can simply run the command below. Please note that you will be asked to enter the password of the user you are trying to connect to.<\/p>\n<pre><code>$ ssh-copy-id holu@&lt;10.0.0.1&gt;<\/code><\/pre>\n<p>Please replace\u00a0<code>holu<\/code>\u00a0with your own username and\u00a0<code>&lt;10.0.0.1&gt;<\/code>\u00a0with your own IP address. The public key will automatically be copied from your local device and automatically be added to the\u00a0<code>authorized_keys<\/code>\u00a0file on the remote device (IP address).<\/p>\n<p>If you have more than one SSH key on your local device, you should also add the file name of the key you would like to add to the remote user.<\/p>\n<pre><code>$ ssh-copy-id -i ~\/.ssh\/id_&lt;type&gt;.pub holu@&lt;10.0.0.1&gt;<\/code><\/pre>\n<p>Please replace\u00a0<code>holu<\/code>\u00a0with your own username and\u00a0<code>&lt;10.0.0.1&gt;<\/code>\u00a0with your own IP address. Also,\u00a0<code>&lt;type&gt;<\/code>\u00a0needs to be replaced with the actual type of your SSH key in order to match the file name the local machine is supposed to copy the public SSH key from. In case you are not sure about the correct name of the file, you can use\u00a0<code>ls ~\/.ssh<\/code>\u00a0to list all files that are saved in the SSH directory. One of those files should be named like this\u00a0<code>id_&lt;type&gt;.pub<\/code>. After you run the\u00a0<code>ssh-copy-id<\/code>\u00a0command, the public key will automatically be copied from your local device and automatically be pasted to the\u00a0<code>authorized_keys<\/code>\u00a0file on your remote device.<\/p>\n<p>The SSH key has now been saved and will be used automatically the next time you connect to your server.<\/p>\n<h4 id=\"m_2309985735518863511gmail-option-2\">Option 2<\/h4>\n<p>If you cannot use\u00a0<code>ssh-copy-id<\/code>, you can also use the command below as an alternative. Please note that you will be asked to enter the password of the user you are trying to connect to.<\/p>\n<pre><code>$ cat ~\/.ssh\/id_&lt;type&gt;.pub | ssh holu@&lt;10.0.0.1&gt; \"mkdir -p ~\/.ssh &amp;&amp; cat &gt;&gt; ~\/.ssh\/authorized_keys\"<\/code><\/pre>\n<p>Please replace\u00a0<code>holu<\/code>\u00a0with your own username and\u00a0<code>&lt;10.0.0.1&gt;<\/code>\u00a0with your own IP address. Also,\u00a0<code>&lt;type&gt;<\/code>\u00a0needs to be replaced with the actual type of your SSH key in order to match the file name the local machine is supposed to copy the public SSH key from. In case you are not sure about the correct name of the file, you can use\u00a0<code>ls ~\/.ssh<\/code>\u00a0to list all files that are saved in the SSH directory. One of those files should be named like this\u00a0<code>id_&lt;type&gt;.pub<\/code>. The\u00a0<code>&gt;&gt;<\/code>\u00a0part in the command above ensures that the original file will not be overwritten. Instead, the new key will be added in the next free line. After you run the command, the public key will automatically be copied from your local device and automatically be pasted to the\u00a0<code>authorized_keys<\/code>\u00a0file on your remote device.<\/p>\n<p>The SSH key has now been saved and will be used automatically the next time you connect to your server.<\/p>\n<h4 id=\"m_2309985735518863511gmail-option-3\">Option 3<\/h4>\n<p>In order to add an SSH key on a remote device, you need to copy the public key from the local device first. To do so, open the file the public key is saved in. If you are not sure about the file name, you can use\u00a0<code>ls ~\/.ssh<\/code>\u00a0to list all files that are within the SSH directory. Use\u00a0<code>cat<\/code>\u00a0followed by the filename to open the file:<\/p>\n<pre><code>$ cat ~\/.ssh\/id_&lt;type&gt;.pub<\/code><\/pre>\n<p>Copy the whole output, starting with the key type\u00a0<code>ssh-&lt;type&gt;<\/code>.<\/p>\n<pre><code>$ ssh-&lt;type&gt; AAA...fjdkl== holu@example<\/code><\/pre>\n<p>Next, connect to the remote device to add the key. Open a second CLI window and use the command below.<\/p>\n<pre><code>$ ssh holu@&lt;10.0.0.1&gt;<\/code><\/pre>\n<p>Now that you are connected, check if there is an SSH directory.<\/p>\n<pre><code>$ ls -l ~\/.ssh\/<\/code><\/pre>\n<p>If there is an SSH directory, it will list all its contents. If this user does not have an SSH directory, your output should be something like\u00a0<code>ls: cannot access '\/home\/new\/.ssh\/': No such file or directory<\/code>. In this case, you will have to add an SSH directory.<\/p>\n<ul>\n<li>Creating an SSH directory<code>$ mkdir -p ~\/.ssh<\/code>Now change the permissions:<code>$ chmod 700 ~\/.ssh<\/code>Next you can create the\u00a0<code>authorized_keys<\/code>\u00a0file within this directory. Use\u00a0<code>cd ~\/.ssh<\/code>\u00a0to open the SSH directory and run the following command:<code>$ touch authorized_keys<\/code>Now change the permissions:<code>$ chmod 600 ~\/.ssh\/authorized_keys<\/code><\/li>\n<\/ul>\n<p>Once you have an\u00a0<code>authorized_keys<\/code>\u00a0file, you can add the public key. Use\u00a0<code>nano<\/code>\u00a0to open the\u00a0<code>authorized_keys<\/code>\u00a0file:<\/p>\n<pre><code>$ nano ~\/.ssh\/authorized_keys<\/code><\/pre>\n<p>Next, add the public key from your local device. You can go back to your first CLI window to copy it (<code>cat ~\/.ssh\/id_&lt;type&gt;.pub<\/code>). The format of the\u00a0<code>authorized_keys<\/code>\u00a0file is one key per line. This means that you have to remove any paragraphs from your public key until it is a one-liner. You can add more public keys in the lines below \u2013 again, one key per line. Once you are done, you can use\u00a0<code>CTRL<\/code>+<code>X<\/code>\u00a0to save the file,\u00a0<code>Y<\/code>\u00a0to confirm and\u00a0<code>ENTER<\/code>\u00a0to close the file.<\/p>\n<p>The SSH key has now been saved and will be used automatically the next time you connect to your server.<\/p>\n<h4 id=\"m_2309985735518863511gmail-option-4\">Option 4<\/h4>\n<p>The approaches shown above simply add a new SSH key to the\u00a0<code>authorized_keys<\/code>\u00a0file of the remote user. If you have been using another user (u1) for a while now and there is already a lot of data in the\u00a0<code>.ssh<\/code>directory that you would like to keep, you can also copy the whole\u00a0<code>.ssh<\/code>directory from your other user (u1) to your new user (u2). Open an CLI and connect to your remote device as the old user (u1).<\/p>\n<pre><code>$ ssh user@&lt;10.0.0.1&gt;<\/code><\/pre>\n<p>Please replace\u00a0<code>user<\/code>\u00a0with your own username (u1) and\u00a0<code>&lt;10.0.0.1&gt;<\/code>\u00a0with your own IP address. Next, use the following command to add the SSH directory to your new user (u2):<\/p>\n<pre><code># rsync --archive --chown=holu:holu ~\/.ssh \/home\/holu<\/code><\/pre>\n<p>Please replace\u00a0<code>holu<\/code>\u00a0with your own username (u2). This command automatically modifies the file owner. Please ensure that\u00a0<code>~\/.ssh<\/code>\u00a0does\u00a0notend with a trailing slash\u00a0<del><code>~\/.ssh\/<\/code><\/del>\u00a0or otherwise this command will not work properly.<\/p>\n<h2 id=\"m_2309985735518863511gmail-step-5---testing-the-ssh-key\">Step 5 \u2013 Testing the SSH key<\/h2>\n<p>Now that the public SSH key has been added to the user\u2019s\u00a0<code>authorized_keys<\/code>file, you can test authenticating with it. Use\u00a0<code>CTRL<\/code>+<code>D<\/code>\u00a0on your second CLI window to close the connection to your remote device. Then reconnect to it:<\/p>\n<pre><code>$ ssh holu@&lt;10.0.0.1&gt;<\/code><\/pre>\n<p>Please replace\u00a0<code>holu<\/code>\u00a0with your own username and\u00a0<code>&lt;10.0.0.1&gt;<\/code>\u00a0with your own IP address. If this is the first time you connect to your server, please be aware of the remarks in\u00a0<a href=\"https:\/\/community.hetzner.com\/tutorials\/howto-ssh-key#step-3---connecting-to-the-server\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https:\/\/www.google.com\/url?q=https:\/\/community.hetzner.com\/tutorials\/howto-ssh-key%23step-3---connecting-to-the-server&amp;source=gmail&amp;ust=1742224661338000&amp;usg=AOvVaw3Mtk8n0ysrzXXLVqbsoPk3\">step 3<\/a>.<\/p>\n<p>If your SSH key has a passphrase, you will be asked to enter it now. You should now be connected to your server.<\/p>\n<h2 id=\"m_2309985735518863511gmail-step-6---adding-changing-or-deleting-the-ssh-key-passphrase\">Step 6 \u2013 Adding, changing or deleting the SSH key passphrase<\/h2>\n<p>You can add, change and delete the passphrase to your private SSH key on your local device. Please note that you have to know your current passphrase. You will no longer be able to use your SSH key if you forgot your passphrase. If you did forget your passphrase, you might want to consider deleting your SSH key as described in the next step and creating a new one with\u00a0<code>ssh-keygen<\/code>. If you remember your passphrase, you can use the following command to make changes to it:<\/p>\n<pre><code>$ ssh-keygen -p<\/code><\/pre>\n<p>Output:<\/p>\n<pre><code>Enter file in which the key is (\/root\/.ssh\/id_rsa):<\/code><\/pre>\n<p>Enter the file path of your SSH key. If you saved your key in the default location, you can copy the path in the output\u00a0<code>\/root\/.ssh\/id_&lt;type&gt;<\/code>\u00a0<wbr \/>and replace\u00a0<code>rsa<\/code>\u00a0with your key type.<\/p>\n<p>If your SSH key already has a passphrase, you will be asked to enter it now. Next, enter a new passphrase and repeat it to confirm. If you want to remove the passphrase, you can simply skip this step by pressing\u00a0<code>ENTER<\/code>.<\/p>\n<h2 id=\"m_2309985735518863511gmail-step-7---deleting-the-ssh-key\">Step 7 \u2013 Deleting the SSH key<\/h2>\n<p>If you stop using a certain SSH key, you might want to consider to not only delete the corresponding files on your local device but also the public keys from the\u00a0<code>authorized_keys<\/code>\u00a0files on remote devices.<\/p>\n<ul>\n<li>You can do this manually. Connect to the user that has your public key in the\u00a0<code>authorized_keys<\/code>\u00a0file. Then, open the file:<code>$ nano ~\/.ssh\/authorized_keys<\/code>Remove your public key but do not delete any other keys. After you save the file, you will no longer be able to connect to the server via this SSH key. So please make sure that your new key or password authentication is working. Once you are done, you can use\u00a0<code>CTRL<\/code>+<code>X<\/code>\u00a0to save the file,\u00a0<code>Y<\/code>to confirm and\u00a0<code>ENTER<\/code>\u00a0to close the file.<\/li>\n<\/ul>\n<p>Use\u00a0<code>rm<\/code>\u00a0to remove the files to your key pair from your local device:<\/p>\n<pre><code>rm id_&lt;type&gt;<\/code><\/pre>\n<pre><code>rm id_&lt;type&gt;.pub<\/code><\/pre>\n<h2 id=\"m_2309985735518863511gmail-conclusion\">Conclusion<\/h2>\n<p>In the previous steps you learned how to generate an SSH key, add an SSH key to a server, add, change or delete the SSH key passphrase, and delete the SSH key.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Introduction In this tutorial you will learn how to work with an SSH key. This will include generating an SSH key pair, copying the public key to a remote device and deleting an SSH key pair. SSH key explained Secure Shell (SSH) is a network protocol that is used for encrypted communication between two devices. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":8031,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[228,226,229],"class_list":["post-8030","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-dedicated-server","tag-linux","tag-vps"],"_links":{"self":[{"href":"https:\/\/cloudvpshosts.com\/kb\/wp-json\/wp\/v2\/posts\/8030","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudvpshosts.com\/kb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudvpshosts.com\/kb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudvpshosts.com\/kb\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudvpshosts.com\/kb\/wp-json\/wp\/v2\/comments?post=8030"}],"version-history":[{"count":1,"href":"https:\/\/cloudvpshosts.com\/kb\/wp-json\/wp\/v2\/posts\/8030\/revisions"}],"predecessor-version":[{"id":8032,"href":"https:\/\/cloudvpshosts.com\/kb\/wp-json\/wp\/v2\/posts\/8030\/revisions\/8032"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudvpshosts.com\/kb\/wp-json\/wp\/v2\/media\/8031"}],"wp:attachment":[{"href":"https:\/\/cloudvpshosts.com\/kb\/wp-json\/wp\/v2\/media?parent=8030"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudvpshosts.com\/kb\/wp-json\/wp\/v2\/categories?post=8030"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudvpshosts.com\/kb\/wp-json\/wp\/v2\/tags?post=8030"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}