DEV Community

Cover image for How to Set Up SSH Key Authentication in 5 Minutes
Daxesh Italiya
Daxesh Italiya

Posted on • Originally published at ctrlops.io

How to Set Up SSH Key Authentication in 5 Minutes

SSH key authentication replaces passwords with a pair of key files - one private, one public. Your server verifies your identity without anything being typed or sent over the network. Setup takes about 5 minutes. Once it works, you will never want to go back to passwords.

Password-based SSH is a real problem if you manage more than one server. You forget which password goes where. Someone rotates a credential and forgets to tell you. One leaked password, and an attacker has the same access you do. Key-based auth removes all of that.

I have configured key auth on 40+ servers across AWS, DigitalOcean, and bare-metal setups. This guide covers the exact commands for Mac, Windows, and Linux, from start to finish.


What SSH Key Auth Actually Does

SSH keys work as a pair: a private key (stays on your machine, never shared) and a public key (goes on every server you want to access).

When you connect, your machine proves it holds the private key without ever sending it over the network. The server checks its list of authorized public keys, finds a match, and lets you in.

No password is sent over the network. Password-based brute-force attacks become ineffective because the server no longer accepts password authentication. No shared Google Doc of credentials needed.

Why it matters: According to the 2024 Verizon Data Breach Investigations Report, credential theft and abuse remain one of the most common ways attackers gain unauthorized access to systems. SSH key authentication removes the need for passwords during SSH login, making password-based attacks against your SSH service ineffective.


Step 1: Check if You Already Have Keys

Before generating new keys, check if you already have a pair sitting in ~/.ssh/.

Mac / Linux:

ls -la ~/.ssh/
Enter fullscreen mode Exit fullscreen mode

Windows (PowerShell):

Get-ChildItem $env:USERPROFILE\.ssh\
Enter fullscreen mode Exit fullscreen mode

You're looking for files like id_ed25519 and id_ed25519.pub (or id_rsa / id_rsa.pub).

If they exist, skip to Step 3. If not, keep going.


Step 2: Generate a New Key Pair

Use Ed25519. It's faster, shorter, and more secure than RSA. Nearly every modern server supports it.

ssh-keygen -t ed25519 -C "your-email@example.com"
Enter fullscreen mode Exit fullscreen mode

You'll see three prompts:

  1. File location - press Enter to accept the default (~/.ssh/id_ed25519)
  2. Passphrase - add one for extra security, or press Enter to skip
  3. Confirm passphrase - repeat it or press Enter again

That's it. Two files are created:

File What it is Share it?
id_ed25519 Private key Never. This stays on your machine.
id_ed25519.pub Public key Yes. This goes on your servers.

⚠️ The -C flag adds a comment (usually your email) inside the public key. When you have keys from multiple machines on one server, this comment is the only way to tell them apart. Don't skip it.

What if My Server Only Supports RSA?

Some older systems (CentOS 6, legacy appliances) don't recognize Ed25519. Use RSA 4096 as a fallback:

ssh-keygen -t rsa -b 4096 -C "your-email@example.com"
Enter fullscreen mode Exit fullscreen mode

Same prompts, same process. Just a longer key.


Step 3: Copy the Public Key to Your Server

This is the step where most tutorials get complicated. It doesn't have to be.

Method 1: ssh-copy-id (Fastest)

If you can currently log in with a password, this one command does everything:

ssh-copy-id username@your-server-ip
Enter fullscreen mode Exit fullscreen mode

It copies your public key, creates the ~/.ssh/authorized_keys file if needed, and sets the correct permissions. Done.

Windows users: ssh-copy-id isn't available natively in PowerShell. Use Method 2 or install Git Bash.

Method 2: Manual Copy (Works Everywhere)

First, copy your public key to the clipboard:

# Mac
cat ~/.ssh/id_ed25519.pub | pbcopy

# Linux
cat ~/.ssh/id_ed25519.pub | xclip -selection clipboard

# Windows PowerShell
Get-Content $env:USERPROFILE\.ssh\id_ed25519.pub | Set-Clipboard
Enter fullscreen mode Exit fullscreen mode

Then SSH into your server with your password (one last time) and run:

mkdir -p ~/.ssh
chmod 700 ~/.ssh
echo "PASTE_YOUR_PUBLIC_KEY_HERE" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
Enter fullscreen mode Exit fullscreen mode

Replace PASTE_YOUR_PUBLIC_KEY_HERE with the actual key you copied.

Method 3: Cloud Provider Dashboard

On AWS, DigitalOcean, or Hetzner, you can paste your public key in the dashboard before creating a new server. The provider injects it into authorized_keys during provisioning.

This is the cleanest method for new servers - but it only works at creation time.


Step 4: Test the Connection

ssh username@your-server-ip
Enter fullscreen mode Exit fullscreen mode

If everything worked, you're in. No password prompt. After the first connection, you'll connect straight to a shell.

If you still see a password prompt, check these common issues:

Problem Fix
Wrong permissions on authorized_keys chmod 600 ~/.ssh/authorized_keys
Wrong permissions on .ssh directory chmod 700 ~/.ssh
Key not in authorized_keys Re-run ssh-copy-id or Method 2
Wrong user Make sure you're logging in as the same user whose authorized_keys you edited
PubkeyAuthentication disabled on server Check /etc/ssh/sshd_config - set PubkeyAuthentication yes and restart sshd

Step 5: Disable Password Login (Optional but Recommended)

Once key auth works, you can turn off password login entirely. This blocks every brute-force attempt at the door.

sudo nano /etc/ssh/sshd_config
Enter fullscreen mode Exit fullscreen mode

Find and change these lines:

PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
PermitRootLogin prohibit-password
Enter fullscreen mode Exit fullscreen mode

Restart the SSH service:

Ubuntu/Debian

sudo systemctl restart ssh
Enter fullscreen mode Exit fullscreen mode

RHEL/CentOS/Rocky Linux/AlmaLinux

sudo systemctl restart sshd
Enter fullscreen mode Exit fullscreen mode

⚠️ Before you do this: make sure your key login works in a separate terminal session. If you lock yourself out with no password fallback, you'll need console access from your cloud provider to recover.


Managing Keys Across Multiple Servers

Once you manage 5–10+ servers, key auth creates a new problem: keeping track of which keys are authorized where, revoking access when someone leaves, and rotating keys on a schedule.

CtrlOps SSH Managment Features image

At that scale, I use CtrlOps - it has a visual SSH key registry where you can see every authorized key on a server, copy keys across servers, and revoke access with one click. The built-in SSH Setup Wizard walks through key generation and server setup if you're starting from scratch. It's free for a month if you want to try it.

But for 1–3 servers, the manual process above is all you need.


Quick Reference

Here's the complete setup at a glance:

# 1. Generate key
ssh-keygen -t ed25519 -C "your-email@example.com"

# 2. Copy to server
ssh-copy-id username@your-server-ip

# 3. Test
ssh username@your-server-ip

# 4. (Optional) Disable password auth
# Open the SSH configuration file
sudo nano /etc/ssh/sshd_config

# Change:
PasswordAuthentication no

# Save the file, then restart the SSH service
# Ubuntu/Debian:
sudo systemctl restart ssh

# RHEL/CentOS/Rocky/AlmaLinux:
sudo systemctl restart sshd
Enter fullscreen mode Exit fullscreen mode

A few commands, about five minutes, and you'll never have to type your server password again.


If this saved you time, drop a comment - always happy to write more server management deep-dives.

Top comments (0)