How to set up SSH key-based authentication
Generate an SSH key pair and configure passwordless login to a remote server using public key authentication.
- Prerequisites
- Step-by-Step: Set Up SSH Key-Based Authentication
- 1. Generate an SSH Key Pair on the Local Machine
- 2. Copy the Public Key to the Remote Server
- 3. Test the Key-Based SSH Connection
- 4. Disable Password Authentication on the Server (Optional)
- How to Verify Key-Based Authentication Is Working
- Common Issues When Setting Up SSH Key Authentication
Generate an RSA or Ed25519 SSH key pair and configure public key authentication for passwordless login to a remote Linux server.
Prerequisites
- OpenSSH client installed on the local machine (preinstalled on Linux and macOS)
- SSH access to the remote server (password login must be enabled initially)
- Terminal access on the local machine
Step-by-Step: Set Up SSH Key-Based Authentication
1. Generate an SSH Key Pair on the Local Machine
The
ssh-keygen command generates a public/private key pair. Use Ed25519 for modern systems or RSA 4096-bit for compatibility with older servers:
ssh-keygen -t ed25519 -C "user@workstation"The SSH key generator prompts for a file location (default:
~/.ssh/id_ed25519) and an optional passphrase. The passphrase encrypts the private key at rest — it adds security without affecting the authentication mechanism.
2. Copy the Public Key to the Remote Server
The
ssh-copy-id command uploads the public key to the remote server's
~/.ssh/authorized_keys file:
ssh-copy-id user@203.0.113.50The SSH client prompts for the remote user's password one last time. After this, subsequent SSH connections use the key pair instead of the password.
3. Test the Key-Based SSH Connection
Connect to the remote server without a password prompt:
ssh user@203.0.113.50The SSH client authenticates using the private key. If a passphrase was set during key generation, SSH prompts for the passphrase (not the server password).
4. Disable Password Authentication on the Server (Optional)
Edit the SSH daemon configuration on the remote server to enforce key-only authentication:
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart sshdWarning:Verify key-based login works before disabling password authentication. Disabling passwords without a working key locks you out of the server.
How to Verify Key-Based Authentication Is Working
The SSH verbose output (
-v flag) confirms key authentication:
ssh -v user@203.0.113.50 2>&1 | grep "Authenticated"
Authenticated to 203.0.113.50 using "publickey".Common Issues When Setting Up SSH Key Authentication
SSH still prompts for a password after copying the key— The most common cause is incorrect file permissions on the remote server. SSH requires
~/.ssh to be
700 and
~/.ssh/authorized_keys to be
600. Fix with:
chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys on the remote server. See
SSH: Permission denied (publickey)for full diagnosis.
ssh-copy-id fails with "Permission denied"— The remote server may have password authentication disabled already, or the username is incorrect. Verify with
ssh -o PreferredAuthentications=password user@host.