How to Set Up SSH Key Authentication on Linux Servers

Why Use SSH Key Authentication?

Password-based SSH login is convenient but vulnerable to brute-force attacks. SSH key authentication replaces passwords with a cryptographic key pair — a private key you keep secret on your local machine and a public key placed on the server. Even if someone discovers your username, they cannot log in without your private key. This guide walks you through setting up SSH key authentication from start to finish.

How SSH Key Pairs Work

An SSH key pair consists of two mathematically linked files:

• Private key (~/.ssh/id_ed25519) — Stays on your local machine. Never share this.
• Public key (~/.ssh/id_ed25519.pub) — Copied to the server. Safe to share.

When you connect, the server sends a challenge encrypted with your public key. Only your private key can decrypt it, proving your identity without sending any password over the network.

Step 1: Generate an SSH Key Pair

On your local Linux or macOS machine, open a terminal and run:

ssh-keygen -t ed25519 -C "your_email@example.com"

Ed25519 is the recommended algorithm — it's faster and more secure than the older RSA default. When prompted:

• File location — Press Enter to accept the default (~/.ssh/id_ed25519), or specify a custom path.
• Passphrase — Strongly recommended. This encrypts your private key so it's useless if stolen.

If you still need RSA for compatibility reasons, use: ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Step 2: Copy the Public Key to the Server

The easiest method uses the ssh-copy-id utility:

ssh-copy-id username@server_ip_or_hostname

This command appends your public key to ~/.ssh/authorized_keys on the server and sets correct permissions automatically. You'll be prompted for your password one last time.

Manual Method (if ssh-copy-id is unavailable)

Copy your public key content: cat ~/.ssh/id_ed25519.pub

Then on the server, run:

mkdir -p ~/.ssh
chmod 700 ~/.ssh
echo "PASTE_PUBLIC_KEY_HERE" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Step 3: Test the Key-Based Login

Connect to the server and confirm it works:

ssh username@server_ip_or_hostname

If you set a passphrase, you'll be prompted for it. If you see your server's shell prompt — success! You're now using key-based authentication.

Step 4: Disable Password Authentication (Recommended)

Once key-based login works, disable password authentication to harden your server. Edit the SSH daemon configuration:

sudo nano /etc/ssh/sshd_config

Find and set these lines (add them if they don't exist):

PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no

Important: Before saving, open a second SSH session to confirm your key login works. Then restart the SSH service:

sudo systemctl restart sshd

Step 5: Use SSH Config for Convenience

Managing multiple servers is easier with an SSH config file. Create or edit ~/.ssh/config on your local machine:

Host myserver
    HostName 192.168.1.100
    User alice
    IdentityFile ~/.ssh/id_ed25519
    Port 22

Now you can connect with simply: ssh myserver

Managing Multiple Keys with ssh-agent

If you use a passphrase (and you should), ssh-agent caches it so you don't have to type it repeatedly:

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

Your passphrase will be remembered for the duration of your session.

Security Best Practices Summary

• Always use a strong passphrase on your private key.
• Prefer Ed25519 over RSA for new keys.
• Disable password authentication once key login is confirmed working.
• Never copy your private key to a server.
• Rotate keys periodically and revoke old ones by removing them from authorized_keys.
• Consider changing the default SSH port (22) for reduced noise in logs, though this is not a security measure on its own.