Last Reviewed: 2025-12-10

Generate and Add SSH Keys

Understand how to generate SSH keys to configure Git, SFTP, or Drupal Drush.

Discuss in Slack

Edit this page on GitHub Report an issue with this doc

Interacting with remote Pantheon environments via Git, SFTP, WP-CLI, and Drush requires an SSH key for authentication. This is configured by adding your public SSH key to your user account on Pantheon. If you interact with your sites from multiple workstations (laptop, desktop, etc.), you must add a separate SSH key for each machine.

Generate an SSH key

Use the steps in this section to generate your SSH key.

Create the key locally

The following steps are compatible with MacOS, Linux, and the Windows Subsystem for Linux (WSL). Windows users must install WSL before proceeding to the steps below.

1. Open your terminal and enter the following command to generate a key:

Do not edit the default location of ~/.ssh/id_rsa unless you have a reason to change it. If the command says the key already exists, you can either overwrite it, or continue to the next step with your existing key.

1. Set a passphrase for better security.

   We recommend using a passphrase, but it can conflict with some tools.

2. Copy the contents of ~/.ssh/id_rsa.pub to your clipboard after the files are created.

3. Run eval to start the SSH agent. The Agent pid output confirms that the agent started:

4. Add the newly created key to the ssh-agent:

Add your SSH key to Pantheon

1. Log in to your Pantheon Dashboard.

2. Click your user icon in the top right then click Personal Settings, and go to the SSH Keys tab.

3. If this is your first key, click Get Started, otherwise click Add New Key.

4. Paste the copied public key into the box, and click Save.

Your computer is now set up to securely connect to the Pantheon Git server. You can view a list of available keys on the same page.

Test your new key (optional)

Try out your new key by interacting with your site using any one of the following methods:

• Use git to clone your site repository locally

• Use your preferred SFTP client to connect to a remote Pantheon environment

• Use Terminus to invoke WP-CLI or Drush commands:

Manage multiple keys (optional)

If you use multiple SSH keys to routinely authenticate your machine with other platforms or services other than Pantheon, you may benefit by configuring specific keys according to their specific usage.

For example, the following configuration tells your Pantheon sites to use your Pantheon key, while using a separate key for GitHub:

Remove SSH Key from Pantheon

After removing SSH Keys from your user account, you will not be able to interact with remote Pantheon application and codeservers via Git, SFTP, Drush, or WP-CLI.

Removing SSH keys is separate from revoking the machine tokens used by Terminus to perform actions (e.g., creating Multidev environments) that can otherwise be done in the Pantheon Site Dashboard.

1. Log in to your Pantheon Dashboard.

2. Click your user icon in the top right then click Personal Settings, and go to the SSH Keys tab.

3. Click the Revoke button next to the key you want to remove:

1. Check the box in the confirmation prompt and click continue.

Troubleshooting

Authenticity & Fingerprint Prompts

Your first connection to any remote server over an SSH connection (like Git or SFTP) will prompt you to confirm the host identity:

You can safely type yes and press enter to add the server's SSH key fingerprint to your computer's known_hosts file. Additional connections to this specific Pantheon container will complete successfully without prompts. However, you will be prompted to confirm connections following a container migration, which is part of regular maintenance on the platform. See the following Pro Tip to automatically accept all Pantheon connections.

"Connection to server closed by remote host" returned by long-running CLI operations

Long-running Drush and/or WP-CLI commands may timeout due to the idle timeout limit on SSH connections. You can avoid this by configuring your local machine to send an SSH keepalive packet every 60 seconds. Add this to your $HOME/.ssh/ssh_config file:

ECDSA Key Support

The dashboard will return the following error when attempting to add an ECDSA key with a keysize of either 384 or 521 bits:

To resolve, generate and use a 256-bit ECDSA key instead:

Control Path Error

You may receive the following error:

Check your SSH config files (by default, $HOME/.ssh/config and /etc/ssh/ssh_config) for a declaration like this:

There are two ways to fix this. First, try adjusting the Controlpath line as shown below:

If this doesn't fix the issue, try creating an entry in your SSH configuration for your site specifically by its hostname. Don't use the ControlMaster option, instead use the ControlPath line as shown below, replacing SITE_UUID with your site's UUID:

Server Refused to Allocate pty

This error occurs when a user is attempting to make a direct connection to Pantheon via SSH. Pantheon does not support direct SSH connections.

Authentication Prompts

Password requests may still occur after adding an SSH key to your Pantheon account if the corresponding key is not found by your local ssh-agent. Verify by listing the SSH fingerprints already loaded in your device's ssh-agent:

The resulting string should match one of the keys listed in your Personal Settings.

To resolve, add your SSH key to the ssh-agent using the following command, replacing id_rsa with the name of your private key, if different:

If you are using a Linux distribution such as Fedora 33 or later, make sure RSA keys are enabled in ~/.ssh/config:

What if I can't install the Windows Subsystem for Linux?

Consider that Terminus, Pantheon's command-line interface, requires WSL for compatibility. This is why the process above expects WSL to be installed, however it is not a hard required for generating SSH keys.

If you are a Windows user and you are unable to install WSL on your machine, you may use the following process as an alternative: