SSH: Secure Shell

Using SSH Key Authentication For ''rails'' User

To avoid having to enter the rails user password to access the server or when deploying using Capistrano see the section about installing a new ssh key.

You can also add an SSH public key to your profile within the control panel. This key will automatically be added to any new Brightboxes that are provisioned where you are the account owner or have a technical role.

The authorized_keys file is only generated when a Brightbox is created. There are no further automatic updates to the authorized_keys file so it is safe to manually add or remove keys. If you update your profile's SSH key later then existing boxes will not see the change.

This allows you to enter your key once and your key will be added to the rails user's account for any new server you manage.

Generating a new ssh key

Linux/UNIX/MacOSX command line

To generate a new private key named brightbox-key and matching public key named run the following command.

ssh-keygen -f brightbox-key -C "My brightbox key"

You will then need to include the name of your private key when you ssh to your brightbox:

ssh -i brightbox-key

Installing a new ssh key

Copy your public key up to your Brightbox:


Make sure the .ssh/ directory exists in the rails user home directory on your Brightbox, and has the correct permissions:

mkdir ~/.ssh
chmod 0700 ~/.ssh

Add your public key to the ~/.ssh/authorized_keys file on your Brightbox, and make sure it has the correct permissions:

cat >> ~/.ssh/authorized_keys
chmod 0600 ~/.ssh/authorized_keys

You can add multiple keys with this method.

Direct Root Access

By default, direct SSH root access to Brightboxes is limited to key authentication, which is far stronger than using passwords. By default there are no ssh keys installed for the root user, so you'll need to generate and install one yourself. Follow the instructions on generating a new key then follow the instructions on installing the key but run the commands in a root shell (sudo bash).

You now need to tell ssh which IP addresses you'll be logging in as root from. Add AllowUsers directives at the bottom of the ssh config file (/etc/ssh/sshd_config) for every IP, hostname or network you'll need access from:

AllowUsers root@
AllowUsers root@70.84.143.*
AllowUsers root@*

Or allow it from everywhere:

AllowUsers root@*

Then reload ssh:

sudo /etc/init.d/ssh reload

Root password access

If you really want to access the root account directly using only a password, edit the /etc/ssh/sshd_config file and change the line PermitRootLogin without-password to PermitRootLogin yes, then reload ssh.

Then just set a password for the root account using the sudo passwd command.

docs/ssh.txt · Last modified: 2010/05/05 09:40 by paul