SSH Key Setup
Overview
Section titled “Overview”SSH keys replace password-based login with a cryptographic key pair. The private key stays on your machine; the public key goes on the server.
Generate a Key Pair
Section titled “Generate a Key Pair”On your local machine:
ssh-keygen -t ed25519 -C "your@email.com"-t ed25519— modern, compact algorithm (preferred over RSA)-C— an optional label to identify the key
When prompted, choose a path (default ~/.ssh/id_ed25519) and an optional passphrase.
Copy the Public Key to the Server
Section titled “Copy the Public Key to the Server”ssh-copy-id -i ~/.ssh/id_ed25519.pub user@your-server-ipOr manually append it:
cat ~/.ssh/id_ed25519.pub | ssh user@your-server-ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"Test the Connection
Section titled “Test the Connection”ssh user@your-server-ipYou should log in without a password prompt.
SSH Config File
Section titled “SSH Config File”Avoid typing long hostnames by adding an entry to ~/.ssh/config:
Host myserver HostName your-server-ip User youruser IdentityFile ~/.ssh/id_ed25519Now you can connect with just:
ssh myserverDisable Password Login (recommended)
Section titled “Disable Password Login (recommended)”Once key-based login works, disable password authentication on the server to reduce attack surface.
Edit /etc/ssh/sshd_config:
PasswordAuthentication noPubkeyAuthentication yesRestart the SSH service:
sudo systemctl restart sshdMake sure your key works before closing the current session.
Common Issues
Section titled “Common Issues”| Problem | Likely cause |
|---|---|
Permission denied (publickey) | Public key not in authorized_keys, or wrong user |
Warning: unprotected private key | Fix with chmod 600 ~/.ssh/id_ed25519 |
Connection refused | SSH not running or wrong port — check with sudo systemctl status sshd |