Setup SSH Access to Lightsail

This page explains how to SSH to Lightsail, AFAIK the cheapest and fastest hosting available.

Lightsail

What is Lightsail?

Lightsail is the cheap version of Amazon EC2.

• Prices start at $3.50 per instance (20Gb SSD, 512Mb RAM), up to 160$/month.
• An instance is created in seconds based on Ubuntu, Debian, FreeBSD, OpenSUSE, or Amazon Linux. There are versions with an application preinstalled, which uses images from Bitnami.
• You can add a SSH key in the console, which will be valid for any of your instances.

Create an account

Go to https://amazonlightsail.com/ and login with your Amazon credentials (or create a new account). You’ll see two buttons: Create Instance, and Create static IP. The dialogs that follow are self explanatory. I chose a Linux instance with Ubuntu OS. If you want to give it a try, you can use the free month trial without spending a penny.

Once you create the instance, it will be ready in 10 seconds. SSH access is immediately available, but only through a web interface. You may want to add a static IP to your instance, they are free. The name of the static IP is an arbitary string.

SSH access

Add your server to /etc/hosts

Add your host IP to /etc/hosts:

$ echo -e "\n35.176.128.11 lightsail" | sudo tee -a /etc/hosts

My /etc/hosts looks like this:

127.0.0.1        localhost
255.255.255.255  broadcasthost
::1              localhost

35.176.128.11    lightsail

Create a SSH key

I’m using ECDSA 521 bit below.

ssh-keygen -t ecdsa -b 521 -f ~/.ssh/lightsail -C "jano@jano.dev"

Generating public/private ecdsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/jano/.ssh/janodev
Your public key has been saved in /Users/jano/.ssh/janodev.pub
The key fingerprint is:
SHA256:KPSLMDl46tkeyAndiMagEnotForrEal46lwP0VsXAnA jano@jano.dev

The key's randomart image is:
+---[ECDSA 521]---+
|      o .=**O+.  |
|       +o=+o.o   |
|    .  .o*o+.E   |
| . o.. .o O.+    |
|. *...o.S+ + o   |
| o +.oo..   o    |
|.  o...          |
|o . o            |
| o   .           |
+----[SHA256]-----+

Set permissions so the private key is not rwx by other users.

chmod 600 ~/.ssh/lightsail

Copy your public key to the server

Copy your public key

pbcopy < ~/.ssh/lightsail.pub

SSH to your machine using the web interface, and add this key to the authorized keys.

vi ~/.ssh/authorized_keys

Note that on the bottom right you have an icon that opens the clipboard. You can paste the key there, then go to the terminal and right click with your mouse to paste.

If you add your public key to the SSH keys of the Lightsail account before creating the instance, the key will be automatically added to authorized_keys. Once the instance is created, you can only change authorized_keys manually from the terminal.

Login from your machine

Login to your Lightsail instance from your terminal using your private key, user, and server.

ssh -i ~/.ssh/lightsail ubuntu@lightsail

To avoid specifying the key each time, I added this block to ~/.ssh/config.

Host lightsail
    User ubuntu
    Hostname lightsail
    PreferredAuthentications publickey
    IdentitiesOnly yes
    IdentityFile ~/.ssh/lightsail

Transmit

If you use Transmit from Panic:

• Setup the SSH keys in ~/.ssh.
• Fill the password field with the password used to encrypt the SSH key.
• Choose the private key.

If you ever wonder if a key has password or not, try to display it with ssh-keygen -y. If it does have a password it will prompt you for it, otherwise it will display the file contents.

ssh-keygen -y -f lightsail