SSH programs can use various authentication methods like passwords or Kerberos, the most secure of which is key-based authentication.
Key-based authentication works by generating a public and a private key. The private key is stored on your system, and the public key is distributed to servers that you want to access remotely.
When you try to SSH to the remote server, the server will issue a challenge constructed using your public key. This encrypted message can only be decoded with your private key, which is stored on your system.
After your system replies with an appropriate response (which happens behind the scenes), the connection will be established. This authentication mode is preferred over traditional methods like passwords mainly because it isn’t prone to brute-force attacks.
Generate the Key Pair
To use key-based authentication, first generate the key pair on the client machine.
This will default to 3072-bit RSA keys. You can use other algorithms like DSA with the
-t flag, but it’s best to stick with RSA for security reasons.
More importantly, you can use the
-b flag to specify the number of bits in the keys. A 4096-bit RSA is considered very secure, so you can also go with that.
ssh-keygen -b 4096
Now, you’ll be asked to select the file in which to save the private key. We recommend sticking to the default value which is
Next, you can set the passphrase for the private key. It’s optional, but we recommend using a strong passphrase as it adds an extra layer of security in case the private key is compromised.
Copy Public Key to Server
By default, the key pair is stored in the
~/.ssh directory. You’ll have to copy the public key (id_rsa.pub) from here and append it to the
~/.ssh/authorized_keys file on the remote server.
The standard way to do this is with the
ssh-copy-id [email protected]
If you set a non-default public-key filename, or the server is listening on a port other than the default (22), you can use the
-p flags like so
ssh-copy-id -i ~/.ssh/id_mypkey.pub -p 764 [email protected]
If it’s your first time connecting to this server, you’ll be asked to confirm the authenticity of the host. Type yes and press Enter to continue. Then, enter the remote user account’s password to upload the public key.
Authenticate to Server using SSH Keys
Now it’s time to log in to the remote server. If you set a passphrase for the private key earlier, you’ll be asked to enter it at this point.
ssh [email protected]
Normally, the connection should be established at this point. But some users may encounter errors like Port 22: Connection Refused, typically due to misconfigured SSH server configs or firewalls. Please refer to the linked guide for detailed steps on troubleshooting such issues.
Disable Password Authentication
As mentioned earlier, password authentication is prone to brute-force attacks and ideally should not be used. Assuming you have admin privileges, you should disable it on the remote server.
Open the config file with an editor like nano.
sudo nano /etc/ssh/sshd_config
Uncomment the PasswordAuthentication directive and change the value to no.
Then, save the config and apply the changes by restarting the SSH server.
sudo systemctl restart ssh