How to configure and use SSH keys for passwordless, secure server access
SSH keys let you log into servers without typing passwords while being more secure than password authentication. This guide walks you through creating, installing, and using SSH key pairs in about 10–20 minutes so you can connect quickly and safely. Follow the steps in order and test each change to avoid lockouts.
Step 1: Check for existing SSH keys
Look in your home .ssh directory for id_rsa, id_ecdsa, id_ed25519 or similar files. Run a command that lists files and note any public keys (files ending in .pub); if you already have usable keys, you can reuse them to save time. Back up any existing keys before making changes.
[Illustration: a file list showing .ssh directory with id_ed25519 and id_ed25519.pub files]
Step 2: Generate a new key pair
Create a new key with a modern algorithm like ed25519: run ssh-keygen -t ed25519 -C "your_email@example.com" and press Enter. Accept the default filename, optionally enter a secure passphrase of 10–30 characters for extra protection, and note the key path printed on screen.
[Illustration: terminal generating an ed25519 SSH key with prompts for passphrase]
Step 3: Securely store your private key
Ensure the private key file (~/.ssh/id_ed25519) has permissions 600 and the .ssh folder is 700: run chmod 600 ~/.ssh/id_ed25519 and chmod 700 ~/.ssh. This prevents other users from reading your private key and is required by SSH to use the key.
[Illustration: permission numbers 700 and 600 shown next to ~/.ssh and id_ed25519 files]
Step 4: Install your public key on the server
Copy the public key to the server using ssh-copy-id user@host or append the contents of ~/.ssh/id_ed25519.pub to ~/.ssh/authorized_keys on the server. Create the remote .ssh directory and set permissions to 700 for the directory and 600 for authorized_keys to avoid being rejected.
[Illustration: public key being appended to server's authorized_keys via a secure copy action]
Step 5: Test passwordless login
Attempt ssh user@host; if you set a passphrase, your agent may prompt for it, otherwise you should connect without a password. If you still see a password prompt, check server /etc/ssh/sshd_config settings and the remote permissions, then inspect SSH client debug output with ssh -vvv user@host to diagnose.
[Illustration: terminal showing successful SSH login without entering a password]
Step 6: Use an SSH agent for convenience
Start an SSH agent and add your key with eval $(ssh-agent -s) and ssh-add ~/.ssh/id_ed25519 so you enter the passphrase once per session. On Windows or macOS, enable the system keychain or Pageant to cache passphrases for 8–24 hours depending on settings for smoother workflows.
[Illustration: agent icon with a key being loaded and a single passphrase prompt]
Step 7: Harden server SSH configuration
On the server, edit /etc/ssh/sshd_config to set PasswordAuthentication no and PermitRootLogin no to force key-based logins and reduce attack surface. Reload SSH with sudo systemctl reload sshd and keep a separate active admin session while testing to avoid locking yourself out.
[Illustration: server configuration file with PasswordAuthentication no and PermitRootLogin no highlighted]
- Use ed25519 keys for faster, smaller, and stronger keys compared to RSA; if you must use RSA choose at least 3072 bits.
- Label keys with a clear comment like username@machine and include the date so you can identify and rotate them later.
- Rotate keys every 6–12 months for critical servers and immediately remove any key you suspect has been compromised.
- Store an offline backup of your private key on an encrypted USB drive and do not email or upload it to cloud storage in plain text.
- Use ssh-agent forwarding sparingly and only with trusted jump hosts; avoid forwarding to untrusted or shared machines.
- For automated systems (CI/CD), create a dedicated deploy key with limited permissions and restrict its use to specific repositories or accounts.
- Never share your private key or paste it into chat, email, or web forms — treat it like a password.
- If you disable password authentication on the server, keep an active root or sudo session open until you verify keys work to prevent being locked out.
- Avoid using empty passphrases on keys used for remote access unless they are protected by hardware tokens or strict access controls.
- Be careful with SSH agent forwarding: a compromised intermediate host can use your forwarded key to access other servers during your session.
Was this guide helpful?
More Computers & Electronics guides
How to set up Git, create a repository, and commit code locally
Setting up Git and committing code locally is a small, reliable skill that pays off immediately. In about 10–20 minutes you can install Git, create a repository, and make your first commits so your work is tracked and easy to manage. Follow these clear steps to get a solid local workflow going.
How to migrate email from one provider to another without losing folders or contacts
Migrating email between providers can feel risky, but with a plan you can preserve folders, labels, and contacts while minimizing downtime. This guide walks you through a careful, step-by-step transfer you can complete in a few hours to a couple days depending on mailbox size. Follow the checklist and you’ll keep structure and address data intact.
How to clean dust and replace a laptop fan to fix overheating and throttling
Overheating and CPU/GPU throttling are often caused by dust buildup or a failing fan. This guide walks you through safely cleaning dust and replacing a laptop fan to restore cooling performance and reduce temperature spikes. Read through all steps, gather basic tools, and work in a well-lit, static-safe area.