Cara Membuat Kunci SSH dan Mengatur Otentikasi Kunci SSH

Secure Shell (SSH) access grants you command-line interface (CLI) access to your web server. SSH key authentication provides a secure, passwordless way to connect to your Linux VPS or dedicated server. It replaces vulnerable password-based logins with a cryptographic key pair: a private key that stays on your local machine and a public key that resides on the server. This method eliminates brute-force attacks, enables secure automation, and is the recommended standard for all InMotion Hosting VPS and dedicated servers with root or sudo access.

This comprehensive guide combines the complete process of generating SSH keys across Windows, Linux, and macOS with full server-side configuration for key-based authentication. It is written for users with a Linux VPS (Ubuntu, AlmaLinux, Debian, or similar) running OpenSSH.

How SSH Key Authentication Works

When you connect via SSH with key authentication, the server issues a cryptographic challenge. Your local machine uses the private key to respond, proving ownership without ever sending the key or a password over the network. If you protect the private key with a passphrase, that passphrase is only entered locally.

Key advantages over passwords:

• No password is transmitted or stored on the server.
• Immune to brute-force and dictionary attacks.
• Supports scripted/automated connections without exposing credentials.

Prerequisites

Before starting:

• A Linux VPS or Dedicated Server with root or sudo access.
• Initial SSH access using password authentication (you will disable this at the end).
• Local machine running Linux, macOS, or Windows 10/11 with OpenSSH client installed (native on macOS and modern Windows).
• Basic terminal familiarity.

Note: Shared or Reseller Hosting uses a different SSH process. This guide is for VPS/dedicated servers with full root access.

Step 1: Generate an SSH Key Pair on Your Local Machine

Generate the key pair on your local computer, never on the server. The current best practice is to use the Ed25519 algorithm (faster and more secure than RSA). For maximum compatibility with older systems, you may use RSA 4096-bit keys.

Generating SSH Keys on Linux or macOS (Terminal)

1. Open your Terminal application.
2. Run the recommended command:

ssh-keygen -t ed25519 -C "your_identifier"

(Replace your_identifier with something descriptive like work-laptop or [email protected].)

3. When prompted for the file location, press Enter to accept the default (~/.ssh/id_ed25519).
4. Enter a strong passphrase (recommended) and confirm it.

Alternative (RSA 4096-bit for legacy compatibility):

ssh-keygen -t rsa -b 4096 -C "your_identifier"

After generation, set correct permissions:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/*

Generating SSH Keys on Windows with PowerShell (OpenSSH)

Windows 10/11 includes OpenSSH natively.

1. Open PowerShell as Administrator.
2. Run:

ssh-keygen -t ed25519 -C "your_identifier"

3. Accept the default file location by pressing Enter.
4. Enter and confirm a strong passphrase.
5. (Optional but recommended) Set correct permissions on the public key:

cd ~/.ssh
icacls id_ed25519.pub /inheritance:r
icacls id_ed25519.pub /grant:r "$env:USERNAME:(R)"

Alternative (RSA 4096-bit):

ssh-keygen -t rsa -b 4096 -C "your_identifier"

Generating SSH Keys on Windows with PuTTY (Graphical Method)

For users who prefer a GUI:

1. Download and open PuTTYgen.
2. Select Ed25519 (preferred) or RSA with 4096 bits.
3. Click Generate and move your mouse in the blank area to create randomness.
4. (Optional) Add a comment and a strong passphrase.
5. Click Save private key (.ppk file) and Save public key.
6. Copy the public key text from the top box for later use.

Save both files in C:UsersYourUsername.ssh.

Step 2: Copy the Public Key to Your Linux VPS

Option A: Using ssh-copy-id (Linux/macOS – Recommended)

From your local machine:

ssh-copy-id -i ~/.ssh/id_ed25519.pub username@your-server-ip

(Replace username with root or your sudo user, and your-server-ip with the VPS IP.)

This command automatically creates ~/.ssh/authorized_keys, sets permissions, and copies the key.

Option B: Manual Copy (Windows or When ssh-copy-id Is Unavailable)

1. On your local machine, display the public key:

cat ~/.ssh/id_ed25519.pub

(Or open the .pub file and copy its entire contents.)

2. SSH into your server with your current password:

ssh username@your-server-ip

3. On the server, create the directory and file:

mkdir -p ~/.ssh
nano ~/.ssh/authorized_keys

4. Paste the public key on a single line and save/exit.
5. Set strict permissions (critical for security):

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Step 3: Test Key Authentication

Open a new terminal window (do not close your existing session) and test:

ssh -i ~/.ssh/id_ed25519 username@your-server-ip

If successful, you will connect without a server password prompt (you may still be asked for your local key passphrase). Always test before proceeding to the next step.

Step 4: Harden the SSH Configuration (Disable Password Authentication)

Once key authentication is confirmed:

1. On the server, edit the SSH daemon config:

sudo nano /etc/ssh/sshd_config

2. Make the following changes (uncomment or add as needed):

PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

Optional but recommended for extra security:

Change the SSH port (reduces automated scanning):

Prevent direct root login (use a sudo user instead):

PermitRootLogin prohibit-password

3. Save and exit.

Step 5: Restart the SSH Service and Apply Changes

sudo systemctl restart sshd

(On some distributions the service is named ssh instead of sshd.)

If you changed the port:

Update your firewall:

• firewalld (AlmaLinux/CentOS):

sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --reload

sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp

Test the new connection immediately in a new terminal using the updated port if changed:

ssh -i ~/.ssh/id_ed25519 -p 2222 username@your-server-ip

Step 6: Manage Keys for Convenience (SSH Agent and Config File)

Add Keys to the SSH Agent

To avoid entering your passphrase every time:

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

On macOS, use:

ssh-add --apple-use-keychain ~/.ssh/id_ed25519

Use an SSH Config File for Multiple Servers

Create or edit ~/.ssh/config on your local machine:

Example:

Host production-vps
    HostName your-server-ip
    User yourusername
    IdentityFile ~/.ssh/id_ed25519
    Port 2222

Host staging-vps
    HostName staging-ip
    User deploy
    IdentityFile ~/.ssh/id_ed25519_staging
    Port 22

Now connect simply with:

Final Notes and Best Practices

• Never share your private key.
• Always use a strong passphrase on production keys.
• Back up your ~/.ssh directory.
• InMotion Hosting VPS and Dedicated Server plans include full SSH key support from provisioning.

You have now replaced password authentication with secure SSH key pairs. Your Linux VPS is significantly more secure against automated attacks while remaining convenient to access. For any InMotion-specific server management questions, refer to your control panel or support documentation.