How to use public/private keys for SSH and SFTP (Mac OS)
Mac OS X is derived from Unix style operating systems, so understandably, the tools to manage SSH connections are already built in.
Public/private key authentication, as the name suggests, uses two special cryptographic key files (called keys) to authenticate your login. The private key remains on your computer and should be kept safe from unauthorised access. The public key can be freely installed on remote systems. It doesn't matter if your public key gets stolen or lost. Because only you have the private key you can always regenerate the public key again from it. The key files are just plain text - nothing magical. You can open them in TextEdit.app if you are curious!
- Create the keys
Open the Terminal application from the Applications/Utilities folder, or press - and search for Terminal using Spotlight.
Once Terminal is open, we need to change change directory to the hidden .ssh directory. Enter the following commands.
cd .sshThis should then echo this back to you:
/Users/[your user name]/.sshNow we need to generate your keypair. Enter the following command carefully:
ssh-keygen -t rsa -b 2048 -C "John Smith" -f johnJust replace John Smith with your own name (keeping the quotation marks, they're important!). Replace john with a single word (no spaces) that will help you identify the files that the command will generate. When you hit you will be asked to enter a Passphrase. Enter a STRONG passphrase including upper and lowercase letters, numbers, and symbols. Keep this passphrase somewhere secure so you can get to it later (you'll need it anytime you want to use your private key from a new computer).
Note: If your private key ever gets stolen, this password is your last line of defence. A private key with a weak or no passphrase is a gift to hackers! Generally speaking, a good 16 character passphrase will keep the world's most powerful computers at bay until the sun burns out!
In the above example, two files will be created in the hidden .ssh directory, john and john.pub
If you now enter the command
cat john.pubthen the contents of your public key will be printed to the terminal. It will look something like the below. Now, simply mark the whole of the key (as shown) and copy it into the clipboard.
- Setting up your cPanel account with your public key
Log into your cPanel account, and click on the SSH Access icon in the Security group of icons.Click the Manage SSH Keys button.Click the Import Key button to get the Import SSH Key screen.Paste your public key into the public key text box. Give your public key a name, as shown (this becomes the filename your public key is saved as) and click the Import button. If you don't give your key a name, it will default to being called id_dsa.The next step is to authorise your public key.Back on the Manage SSH Keys cPanel screen, click Manage for your key (as shown)
Then, on the Manage Authorization screen just click the Authorize button and you should receive a confirmation that the key has been authorised. That's it, you're now ready to use your private key!
- Log in using your keys
OK, lets leave the .ssh directory and go back to our local home directory on our Mac
cd ~/Now we have to connect to the webserver using the ssh command. We must tell ssh to use our private key.
ssh -p 722 -i .ssh/john [email protected]This tells ssh to connect using (-p) Port 722 and using (-i) Identity within the private keyfile at .ssh/john to hestia.krystal.co.uk as user krystald (phew!) - Just replace krystald with your own cPanel username and hestia.krystal.co.uk with your own Home Server name or your primary domain name.
Your Mac will now ask you for the password for your private key as below. Enter your password and tick the box to save the password to your keychain (read below!). If you don't tick the box, then next time you log out and back into your Mac and try this connection again, you will be asked for the password again.
You will probably get a message echoed in the terminal like Identity added: .ssh/john (.ssh/john) but if all goes well, you should have been logged in.
In future you won't have to specify your private key, so you can simply login using
ssh -p 722 [email protected]