How to Set Up SSH Key Authentication (And Why You Should Stop Using Passwords)

Why SSH Keys Beat Passwords Every Time

If you're still logging into remote servers with a username and password, you're leaving a significant security gap open. Password-based logins are vulnerable to brute-force attacks, credential stuffing, and phishing. SSH key authentication solves all of these problems — and once set up, it's actually more convenient than typing a password.

This guide walks you through generating an SSH key pair, copying your public key to a server, and disabling password login entirely.

What Is SSH Key Authentication?

SSH (Secure Shell) key authentication uses a pair of cryptographic keys:

• Private key — stays on your local machine, never shared
• Public key — placed on the server you want to access

When you connect, your client proves it holds the private key without ever sending it over the network. Even if someone intercepts the connection, they can't reconstruct your private key.

Step 1: Generate Your SSH Key Pair

Open a terminal on your local machine (Linux, macOS, or Windows with WSL/PowerShell) and run:

ssh-keygen -t ed25519 -C "your_email@example.com"

A few notes:

• ed25519 is the recommended algorithm — it's modern, fast, and highly secure. Use -t rsa -b 4096 if the server is older and doesn't support ed25519.
• When prompted for a file location, press Enter to accept the default (~/.ssh/id_ed25519).
• Set a passphrase when asked. This encrypts your private key on disk — a critical safety net if your machine is ever compromised.

Step 2: Copy Your Public Key to the Server

The easiest method uses the ssh-copy-id utility:

ssh-copy-id username@your-server-ip

This appends your public key to ~/.ssh/authorized_keys on the server. If ssh-copy-id isn't available (e.g., on Windows), you can do it manually:

1. Display your public key: cat ~/.ssh/id_ed25519.pub
2. Copy the entire output.
3. Log into the server with your password and run: echo "PASTE_KEY_HERE" >> ~/.ssh/authorized_keys
4. Set correct permissions: chmod 600 ~/.ssh/authorized_keys

Step 3: Test the Key-Based Login

Before disabling password access, confirm keys work:

ssh username@your-server-ip

You should be logged in without entering your server password (you may be prompted for your key's passphrase, which is different and expected).

Step 4: Disable Password Authentication

Once key login is confirmed, lock things down. Edit the SSH daemon config on the server:

sudo nano /etc/ssh/sshd_config

Find and set these values:

• PasswordAuthentication no
• PubkeyAuthentication yes
• PermitRootLogin no (strongly recommended)

Restart the SSH service:

sudo systemctl restart sshd

Managing Multiple Keys

If you access several servers, use an SSH config file (~/.ssh/config) to simplify connections:

Host myserver
    HostName 192.168.1.100
    User ubuntu
    IdentityFile ~/.ssh/id_ed25519

Now you can connect with just: ssh myserver

Quick Recap

1. Generate a key pair with ssh-keygen -t ed25519
2. Copy the public key with ssh-copy-id
3. Test the connection
4. Disable password authentication in sshd_config

SSH key authentication is one of the highest-value security improvements you can make in under ten minutes. Do it once, do it right, and never worry about brute-force attacks on your server again.