Follow this walk-through to generate an OpenSSH key pair on macOS & Linux, add it to your cPanel server and remotely log in to cPanel using SFTP/SSH.
GUIs (Graphical User Interfaces) such as cPanel’s File Manager are great.
But managing a website, or an application, or administering a server often requires more than what a GUI can do.
Even simple administrative tasks such as file transfer are best done over SSH File Transfer Protocol (also Secure File Transfer Protocol or SFTP) or SCP (secure copy).
SFTP though is a better remote file system protocol than SCP because it allows for a range of operations on remote files.
For example, with SFTP, you can resume interrupted file transfer, list the directory, remotely remove a file and perform other tasks that you cannot do with SCP.
SCP protocol (in its basic form) is mostly for file transfers.
So when you want to start managing your cPanel account’s file remotely, the logical choice would be the recommended approach.
And if that is the case, then obviously you would need to ensure that your work machine can communicate with the remote system securely.
There are two basic ways you can set up SSH access in cPanel.
And we are going to cover these in this short walk-through.
SSH via A Local Workstation
ssh-keygen is what you would normally use to create new authentication key pairs in macOS and Linux.
Key pairs are used for automating your logins, single sign-on, and for authenticating hosts.
As best practice demands, let’s first check for any existing keys.
ls -al ~/.ssh
If there have not been key pairs generated on that machine (that is, the machine is still a virgin), you should see an error that the hidden folder ~/.ssh does not exist.
If you see files such as id_rsa.pub, id_ecdsa.pub, and/or id_ed25519.pub, then this part of the process has been completed earlier and can be used for authentication.
But you can go ahead and generate a new SSH key pair solely for your cPanel server.
We are assuming that there is none.
So let’s go ahead and generate a new SSH key to use for cPanel authentication and then afterward, add it to the ssh-agent.
% ssh-keygen -t ed25519 -C "$identifier"
ed25519 is the new algorithm added in OpenSSH you have chosen using the -t option.
But there are other ones you can choose from:
- rsa – this is an old algorithm supported by all SSH clients and is best for legacy systems. It is recommended to use either ed25519 or ecdsa algorithms as RSA will become breakable in the nearest future.
- ecdsa – this is a new algorithm, standardized by the US government and supported by most SSH clients. It is recommended to always use it with 521 bits.
If you are going to use RSA, then:
% ssh-keygen -t rsa -b 4096 -C "$identifier"
If you are going to use ecdsa, then:
% ssh-keygen -t ecdsa -b 521 -C "$identifier"
The $identifier can be your email address, a machine name, or anything that you can use to identify the key on any remote system.
The -b option is for specifying the key size:
ssh-keygen -t rsa -b 4096
ssh-keygen -t ecdsa -b 521
At this point, you can just hit “Enter” for the remaining part of the process.
But you can also specify the location of the newly-generated files and can also passphrase protect the keys to better security.
On macOS, use the ssh-add command to add the SSH key to the agent.
As stated in macOS :
ssh-add adds private key identities to the authentication agent, ssh-agent. When run without arguments, it adds the files ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, an d ~/.ssh/id_ed25519_sk.man ssh-add
% ssh-add --apple-use-keychain ~/.ssh/id_ed25519
You will be prompted for the password to be assigned to the key which will then be stored in the keychain.
For a smoother experience, create a “config” file in the .ssh folder.
Add these along with other ciphers you have a key for and want to be loaded into the agent:
Host * IgnoreUnknown UseKeyChain AddKeysToAgent yes UseKeychain yes IdentityFile ~/.ssh/id_ed25519 IdentityFile ~/.ssh/id_ecdsa IdentityFile ~/.ssh/id_rsa
To preload the keys into your agent, update .zshrc or .bashrc with the following:
% ssh-add --apple-load-keychain
You can also use an older way of doing this with:
% eval "$(ssh-agent -s)" > Agent pid 59566
Create the ~/.ssh/config file with the content above and then use:
% ssh-add -K ~/.ssh/id_ed25519
to add the SSH private key to the ssh-agent and store your passphrase in the keychain.
Note though that future releases of macOS will not support -A or -K flags.
Now that your local machine part is done, it is time to copy the public key to your cPanel server so that you SSH without a password and still have the private key password protected on the disk.
For normal cPanel users, log in to cPanel via 2083.
Scroll down to Security and click on SSH Access.
Click Manage SSH Keys.
Click Import Key.
Go back to your local machine and if you are macOS, copy the public key using pbcopy:
% pbcopy < ~/.ssh/id_ed25519.pub
If you are on Linux, then use xsel:
$ sudo dnf xclip xsel
$ sudo pacman xclip xsel
$ sudo apt install xclip xsel
Add these to your .bashrc:
alias pbcopy=’xsel — clipboard — input’ alias pbpaste=’xsel — clipboard — output’
alias pbcopy='xclip -selection clipboard' alias pbpaste='xclip -selection clipboard -o'
source ~/.bashrc or exec "$BASH"
and then use “pbcopy” to copy:
% cat ~/.ssh/id_ed25519.pub | pbcopy
Go back to cPanel.
Type in the $identifier as the custom key name.
Paste in the public key in the appropriate text box.
Use the Go Back button to well, … go back.
Select the key you just imported from the public keys.
Click Authorize to authorize the key.
You can now test the connection from your local machine to your cPanel server.
% ssh $cpanelusername@$domain.com
Windows users can use Windows Linux Subsystem. See https://docs.microsoft.com/en-us/windows/wsl/about for details on that.
Using In-Built cPanel Terminal
If for reasons don’t want to access your cPanel account via your local machine but still want to manage your cPanel account with SSH, cPanel has an in-built terminal that you can use.
The Terminal interface simply allows you to access an in-browser terminal application for direct command-line access within a cPanel session.
To start, scroll down to the Advanced pane.
Click on Terminal for cPanel.
Accept the warning notice that states I understand and want to proceed.
Once this is done, you will be presented with an interface and can perform any function within this interface as you would via any SSH client.
When you exit a session in the Terminal application, it terminates access to the interface’s terminal window.
To open another session, simply click the Reconnect button.
If you are new to cPanel or to hosting account administration or find the above steps (or the command-line interface) daunting and you are a Web Hosting Magic customer, then please open a technical support ticket for guidance and help.