SSH key authentication replaces passwords with a pair of key files - one private, one public. Your server verifies your identity without anything being typed or sent over the network. Setup takes about 5 minutes. Once it works, you will never want to go back to passwords.
Password-based SSH is a real problem if you manage more than one server. You forget which password goes where. Someone rotates a credential and forgets to tell you. One leaked password, and an attacker has the same access you do. Key-based auth removes all of that.
I have configured key auth on 40+ servers across AWS, DigitalOcean, and bare-metal setups. This guide covers the exact commands for Mac, Windows, and Linux, from start to finish.
What SSH Key Auth Actually Does
SSH keys work as a pair: a private key (stays on your machine, never shared) and a public key (goes on every server you want to access).
When you connect, your machine proves it holds the private key without ever sending it over the network. The server checks its list of authorized public keys, finds a match, and lets you in.
No password is sent over the network. Password-based brute-force attacks become ineffective because the server no longer accepts password authentication. No shared Google Doc of credentials needed.
Why it matters: According to the 2024 Verizon Data Breach Investigations Report, credential theft and abuse remain one of the most common ways attackers gain unauthorized access to systems. SSH key authentication removes the need for passwords during SSH login, making password-based attacks against your SSH service ineffective.
Step 1: Check if You Already Have Keys
Before generating new keys, check if you already have a pair sitting in ~/.ssh/.
Mac / Linux:
ls -la ~/.ssh/
Windows (PowerShell):
Get-ChildItem $env:USERPROFILE\.ssh\
You're looking for files like id_ed25519 and id_ed25519.pub (or id_rsa / id_rsa.pub).
If they exist, skip to Step 3. If not, keep going.
Step 2: Generate a New Key Pair
Use Ed25519. It's faster, shorter, and more secure than RSA. Nearly every modern server supports it.
ssh-keygen -t ed25519 -C "your-email@example.com"
You'll see three prompts:
-
File location - press Enter to accept the default (
~/.ssh/id_ed25519) - Passphrase - add one for extra security, or press Enter to skip
- Confirm passphrase - repeat it or press Enter again
That's it. Two files are created:
| File | What it is | Share it? |
|---|---|---|
id_ed25519 |
Private key | Never. This stays on your machine. |
id_ed25519.pub |
Public key | Yes. This goes on your servers. |
⚠️ The
-Cflag adds a comment (usually your email) inside the public key. When you have keys from multiple machines on one server, this comment is the only way to tell them apart. Don't skip it.
What if My Server Only Supports RSA?
Some older systems (CentOS 6, legacy appliances) don't recognize Ed25519. Use RSA 4096 as a fallback:
ssh-keygen -t rsa -b 4096 -C "your-email@example.com"
Same prompts, same process. Just a longer key.
Step 3: Copy the Public Key to Your Server
This is the step where most tutorials get complicated. It doesn't have to be.
Method 1: ssh-copy-id (Fastest)
If you can currently log in with a password, this one command does everything:
ssh-copy-id username@your-server-ip
It copies your public key, creates the ~/.ssh/authorized_keys file if needed, and sets the correct permissions. Done.
Windows users: ssh-copy-id isn't available natively in PowerShell. Use Method 2 or install Git Bash.
Method 2: Manual Copy (Works Everywhere)
First, copy your public key to the clipboard:
# Mac
cat ~/.ssh/id_ed25519.pub | pbcopy
# Linux
cat ~/.ssh/id_ed25519.pub | xclip -selection clipboard
# Windows PowerShell
Get-Content $env:USERPROFILE\.ssh\id_ed25519.pub | Set-Clipboard
Then SSH into your server with your password (one last time) and run:
mkdir -p ~/.ssh
chmod 700 ~/.ssh
echo "PASTE_YOUR_PUBLIC_KEY_HERE" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
Replace PASTE_YOUR_PUBLIC_KEY_HERE with the actual key you copied.
Method 3: Cloud Provider Dashboard
On AWS, DigitalOcean, or Hetzner, you can paste your public key in the dashboard before creating a new server. The provider injects it into authorized_keys during provisioning.
This is the cleanest method for new servers - but it only works at creation time.
Step 4: Test the Connection
ssh username@your-server-ip
If everything worked, you're in. No password prompt. After the first connection, you'll connect straight to a shell.
If you still see a password prompt, check these common issues:
| Problem | Fix |
|---|---|
Wrong permissions on authorized_keys
|
chmod 600 ~/.ssh/authorized_keys |
Wrong permissions on .ssh directory |
chmod 700 ~/.ssh |
Key not in authorized_keys
|
Re-run ssh-copy-id or Method 2 |
| Wrong user | Make sure you're logging in as the same user whose authorized_keys you edited |
PubkeyAuthentication disabled on server |
Check /etc/ssh/sshd_config - set PubkeyAuthentication yes and restart sshd |
Step 5: Disable Password Login (Optional but Recommended)
Once key auth works, you can turn off password login entirely. This blocks every brute-force attempt at the door.
sudo nano /etc/ssh/sshd_config
Find and change these lines:
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
PermitRootLogin prohibit-password
Restart the SSH service:
Ubuntu/Debian
sudo systemctl restart ssh
RHEL/CentOS/Rocky Linux/AlmaLinux
sudo systemctl restart sshd
⚠️ Before you do this: make sure your key login works in a separate terminal session. If you lock yourself out with no password fallback, you'll need console access from your cloud provider to recover.
Managing Keys Across Multiple Servers
Once you manage 5–10+ servers, key auth creates a new problem: keeping track of which keys are authorized where, revoking access when someone leaves, and rotating keys on a schedule.
At that scale, I use CtrlOps - it has a visual SSH key registry where you can see every authorized key on a server, copy keys across servers, and revoke access with one click. The built-in SSH Setup Wizard walks through key generation and server setup if you're starting from scratch. It's free for a month if you want to try it.
But for 1–3 servers, the manual process above is all you need.
Quick Reference
Here's the complete setup at a glance:
# 1. Generate key
ssh-keygen -t ed25519 -C "your-email@example.com"
# 2. Copy to server
ssh-copy-id username@your-server-ip
# 3. Test
ssh username@your-server-ip
# 4. (Optional) Disable password auth
# Open the SSH configuration file
sudo nano /etc/ssh/sshd_config
# Change:
PasswordAuthentication no
# Save the file, then restart the SSH service
# Ubuntu/Debian:
sudo systemctl restart ssh
# RHEL/CentOS/Rocky/AlmaLinux:
sudo systemctl restart sshd
A few commands, about five minutes, and you'll never have to type your server password again.
If this saved you time, drop a comment - always happy to write more server management deep-dives.

Top comments (0)