Ubuntu — SSH Key Authentication

SSH key authentication replaces passwords with a cryptographic key pair. The private key stays on your machine; the public key goes on the server. No password travels over the network.

Ed25519 is the recommended key type — shorter keys, faster, and more secure than RSA.

Pre-requisites

OpenSSH client on your local machine (ssh-keygen available)
SSH access to the remote server (password auth still enabled for initial setup)

1. Generate the Key Pair

Run this on your local machine:

ssh-keygen -t ed25519 -C "your-comment"

The comment (-C) is just a label — use your email or hostname to identify the key later.

When prompted:

Location — press Enter to accept the default (~/.ssh/id_ed25519)
Passphrase — strongly recommended; protects the private key if it is ever stolen

This creates two files:

File	Description
`~/.ssh/id_ed25519`	Private key — never share this
`~/.ssh/id_ed25519.pub`	Public key — goes on the server

2. Copy the Public Key to the Server

Method A: ssh-copy-id (recommended)

ssh-copy-id username@remote_host

Enter your password when prompted. ssh-copy-id handles directory creation and permissions automatically.

Method B: Manual

If ssh-copy-id is unavailable or password auth is already disabled:

On your local machine, print the public key:

cat ~/.ssh/id_ed25519.pub

Copy the output, then on the remote server:

mkdir -p ~/.ssh && chmod 700 ~/.ssh
echo "PASTE_YOUR_PUBLIC_KEY_HERE" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

3. Verify the Connection

ssh username@remote_host

You should be prompted for your key passphrase (not the account password). If you connect without any prompt, the key has no passphrase — that is fine but less secure.

SSH agent

Run ssh-add ~/.ssh/id_ed25519 once per session to cache the passphrase so you don't type it on every connection.

4. Disable Password Authentication

Once key login is confirmed working, disable password auth on the server.

Do this in a second terminal

Keep your existing SSH session open. Open a new terminal and verify key login works before disabling passwords. A misconfiguration here locks you out.

sudo nano /etc/ssh/sshd_config

Set these values:

PasswordAuthentication no
PermitRootLogin no

Apply the change:

sudo systemctl restart ssh

Verify in your new terminal that you can still connect. Then close the old session.

Permission Reference

Wrong permissions silently break key auth — SSH refuses to use keys if the files are too permissive.

Path	Permission	Command
`~/.ssh/`	`700`	`chmod 700 ~/.ssh`
`~/.ssh/authorized_keys`	`600`	`chmod 600 ~/.ssh/authorized_keys`
`~/.ssh/id_ed25519`	`600`	`chmod 600 ~/.ssh/id_ed25519`
`~/.ssh/id_ed25519.pub`	`644`	`chmod 644 ~/.ssh/id_ed25519.pub`

Multiple Keys

To use a specific key for a host, add an entry to ~/.ssh/config on your local machine:

Host myserver
    HostName 192.168.1.10
    User sebastian
    IdentityFile ~/.ssh/id_ed25519

Then connect with just ssh myserver.