Master SSH Key Authentication: Generate, Configure, and Secure Your Server Access

SSH Key Login

SSH defaults to password authentication, which is vulnerable to weak passwords and requires manual entry. Using asymmetric key pairs provides stronger security and convenience.

What Is a Key?

A key is a large number generated by cryptographic algorithms. Symmetric encryption uses a single key; asymmetric encryption uses a paired public key and private key. In SSH, the private key must remain secret, while the public key can be shared. The public key encrypts data that only the matching private key can decrypt, and the private key can sign data that the public key can verify.

Key‑Based Login Process

Generate a key pair locally with ssh-keygen.

Copy the public key to the remote server’s ~/.ssh/authorized_keys file.

Initiate an SSH connection from the client.

The server sends a random challenge.

The client signs the challenge with its private key and returns the signature.

The server verifies the signature using the stored public key; if it matches, access is granted.

ssh-keygen – Generating Keys

Basic Usage

Run the command without arguments to be prompted for options: $ ssh-keygen Specify the algorithm with -t (e.g., rsa or dsa): $ ssh-keygen -t rsa Typical interactive output (example for DSA):

$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_dsa):  press ENTER
Enter passphrase (empty for no passphrase): ********
Enter same passphrase again: ********
Your identification has been saved in /home/username/.ssh/id_dsa.
Your public key has been saved in /home/username/.ssh/id_dsa.pub.
The key fingerprint is:
14:ba:06:98:a8:98:ad:27:b5:ce:55:85:ec:64:37:19 [email protected]

The default private key files are ~/.ssh/id_rsa (RSA) or ~/.ssh/id_dsa (DSA); the corresponding public keys are ~/.ssh/id_rsa.pub or ~/.ssh/id_dsa.pub.

Common Options

-b – Set key size in bits (e.g., 1024, 2048, 4096). Larger sizes increase security but also computational cost.

-C – Add a comment (e.g., user@host) to identify the key.

-f – Specify the output filename for the private key.

-F – Check whether a hostname appears in known_hosts. $ ssh-keygen -F example.com -N – Provide a passphrase for the private key directly. $ ssh-keygen -t dsa -N secretword -p – Change an existing private key’s passphrase (prompts for old and new passphrases).

-R – Remove a host’s key fingerprint from known_hosts. $ ssh-keygen -R example.com -t – Choose the key algorithm ( rsa, dsa, ecdsa, ed25519).

Manually Uploading the Public Key

After generating a key pair, copy the public key to the server’s ~/.ssh/authorized_keys file. Each key occupies a single line.

$ cat ~/.ssh/id_rsa.pub | ssh user@host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Set correct permissions on the authorized_keys file so that only the owner can write:

$ chmod 644 ~/.ssh/authorized_keys

ssh-copy-id – Automatic Public‑Key Upload

The ssh-copy-id utility copies the local public key to the remote authorized_keys file, creating the file if necessary. $ ssh-copy-id -i ~/.ssh/id_rsa.pub user@host If -i is omitted, ssh-copy-id defaults to ~/.ssh/id_rsa.pub. The command prompts for the remote account password once and appends the key.

ssh-agent and ssh-add – Managing Passphrases

Basic Workflow

Start an agent, add the private key, then use SSH normally. This avoids repeated passphrase prompts.

# Start a new shell with an agent
$ ssh-agent bash
# Or in an existing shell
$ eval `ssh-agent`
# Add the default private key (you will be prompted for its passphrase)
$ ssh-add
Enter passphrase for /home/you/.ssh/id_rsa: ********
Identity added: /home/you/.ssh/id_rsa (/home/you/.ssh/id_rsa)
# Add a non‑default key
$ ssh-add /path/to/other_key
# Use SSH without further passphrase prompts
$ ssh remoteHost

To stop the agent, run:

$ ssh-agent -k

ssh-add Options

-d – Remove a specific key from the agent. $ ssh-add -d /path/to/key -D – Remove all keys from the agent. $ ssh-add -D -l – List keys currently held by the agent.

$ ssh-add -l

Disabling Password Authentication

After confirming that key‑based login works, improve security by disabling password authentication in the SSH daemon configuration.

# Edit /etc/ssh/sshd_config on the server
PasswordAuthentication no

Restart the SSH service (e.g., systemctl restart sshd or service ssh restart) for the change to take effect.