Every time you type a password to SSH into a server, you’re doing something a hacker could intercept, brute-force, or phish from you. SSH keys make this attack surface disappear entirely.
Introduction
SSH keys use public-key cryptography — a method where you hold a private secret while distributing a public “lock” that only your key can open. Once set up, you log in with zero typing. No password to forget. No password to steal. No brute-force possible.
- How SSH keys work (public vs private key)
- How to generate a key pair with
ssh-keygen - How to copy your public key to a server
- How to use
~/.ssh/configfor shortcuts - How to disable password login entirely (the secure standard)
Imagine you want access to 10 different offices:
- You give each office a padlock that only you can open (public key).
- You keep your unique key (private key) in your pocket.
- Any office can leave the padlock on its door — it’s useless without your key.
- If someone steals the padlock, they still can’t get in — they need your key.
That’s exactly how SSH key auth works.
Public vs Private Keys
The rule is simple:
- Private key (
id_ed25519) — stays on your machine. Never share it. Ever. - Public key (
id_ed25519.pub) — safe to share. Copy it to every server you want to access.
Step 1: Generate Your Key Pair
Modern algorithm recommendation: Ed25519 (faster and more secure than RSA).
Generate a new Ed25519 key pair with a comment label
You’ll be asked for a passphrase — this encrypts your private key file. Use a strong one.
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/shekhar/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase): ****
Your identification has been saved in /home/shekhar/.ssh/id_ed25519
Your public key has been saved in /home/shekhar/.ssh/id_ed25519.pubView your public key:
Print your public key — this is what you copy to servers
Step 2: Copy Your Public Key to a Server
The Easy Way: ssh-copy-id
Automatically append your public key to the server's authorized_keys
This command:
- Reads
~/.ssh/id_ed25519.pub - SSHs into the server with your password (one last time)
- Appends your public key to
~/.ssh/authorized_keyson the server
The Manual Way (if ssh-copy-id isn’t available)
Manually append your public key to the server
Test the connection:
Should now log in without asking for a password
SSH is strict about file permissions. If it fails, run these on the server:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
Step 3: Create an SSH Config File for Shortcuts
Typing ssh -i ~/.ssh/id_ed25519 ubuntu@54.23.88.101 -p 2222 every time is painful. Use ~/.ssh/config:
Host myserver
HostName 54.23.88.101
User ubuntu
Port 2222
IdentityFile ~/.ssh/id_ed25519
Host staging
HostName 10.0.1.50
User deploy
IdentityFile ~/.ssh/id_ed25519_stagingNow you can just type:
Uses all settings from ~/.ssh/config automatically
Connects to the staging server with its specific key
Step 4: Disable Password Login (Harden the Server)
Once you’ve confirmed key-based login works, disable passwords entirely. This stops brute-force attacks completely.
On the server, edit the SSH daemon config:
Open the SSH server configuration file
Find and change these lines:
PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yesThen restart SSH:
Apply the new SSH config
Open a second SSH terminal and test you can still log in BEFORE closing the current one. If you lock yourself out, you’ll need console access to fix it.
Managing Multiple Keys
If you work with GitHub, AWS, and multiple servers, you’ll have multiple keys:
Create a key specifically for GitHub
Create a key for AWS access
In your ~/.ssh/config:
Host github.com
HostName github.com
User git
IdentityFile ~/.ssh/id_github
Host aws-prod
HostName ec2-xx-xx-xx-xx.compute.amazonaws.com
User ec2-user
IdentityFile ~/.ssh/id_awsUseful Day-to-Day SSH Key Commands
| Task | Command |
|---|---|
| List loaded keys | ssh-add -l |
| Add key to agent | ssh-add ~/.ssh/id_ed25519 |
| Remove all keys from agent | ssh-add -D |
| Check server’s host key | ssh-keyscan server-ip |
| Copy file to server | scp file.txt user@server:/path/ |
| Copy directory to server | scp -r dir/ user@server:/path/ |
Hands-On Challenge
- Generate a new Ed25519 key pair on your machine.
- View the public key with
cat ~/.ssh/id_ed25519.pub. - If you have access to a server (even a local VM), copy the key with
ssh-copy-id. - Test passwordless login.
- Bonus: Create a
~/.ssh/configentry and test the shortcut.
Key Takeaways
- SSH keys use public-key cryptography — private key stays local, public key goes to servers.
- Use Ed25519 (not RSA) for new keys — it’s smaller, faster, and more secure.
ssh-copy-id user@serveris the easiest way to install your public key.~/.ssh/configlets you define shortcuts and per-host settings — use it.- Disable
PasswordAuthenticationentirely once keys are working — this is the professional standard.
Test Your Knowledge
Take a quick 4-question quiz to check your understanding.