SSH (Secure Shell) is a protocol for securely connecting to remote servers over a network. Compared to password authentication, public key authentication offers higher security and is better suited for automation.
1. Modify SSH Server Configuration [Remote Server]
Edit the SSH server (sshd) configuration file /etc/ssh/sshd_config to enable public key authentication and disable password authentication.
sudo nano /etc/ssh/sshd_config
Find the following lines and modify or add the settings.
# Enable public key authentication
PubkeyAuthentication yes
# Disable password authentication (strongly recommended for security)
PasswordAuthentication no
# Disable direct root login (strongly recommended for security)
PermitRootLogin no
# Change SSH port (optional, default is 22)
# Port 2222
After saving the changes, restart the SSH service to apply the configuration.
sudo systemctl restart sshd
2. Generate Private and Public Keys [Local Machine]
Generate an SSH key pair (private key and public key) on the client machine.
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
-t rsa: Generates a key using the RSA algorithm. The newered25519is also recommended.-b 4096: Specifies the bit length of the RSA key (more secure).-C "your_email@example.com": Adds a comment to the key (such as an email address).
When you run the command, you will be prompted for the key save location and a passphrase.
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): # Press Enter for default (usually no change needed)
Enter passphrase (empty for no passphrase): # Enter a passphrase (recommended for security)
Enter same passphrase again: # Re-enter the passphrase
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
- Passphrase: A password to protect the private key. If set, this passphrase will be required when connecting via SSH. Setting one is strongly recommended for security.
Generated files:
id_rsa: Private key. Must never be shared with anyone.id_rsa.pub: Public key. Registered on the server.
3. Register the Public Key [Remote Server]
Register the generated public key on the remote server.
Create .ssh Directory and Set Permissions
If the .ssh directory does not exist in the target user’s home directory, create it and set the appropriate permissions.
# Navigate to the user's home directory
cd /home/[username]
# Create the .ssh directory
mkdir .ssh
# Set the owner of the .ssh directory to the user
sudo chown [username]:[groupname] .ssh
# Set the .ssh directory permissions to 700 (only the owner can read, write, and execute)
chmod 700 .ssh
Create authorized_keys File and Register the Public Key
Create the authorized_keys file inside the .ssh directory and paste the public key content into it.
# Create the authorized_keys file
touch .ssh/authorized_keys
# Set the authorized_keys file permissions to 600 (only the owner can read and write)
chmod 600 .ssh/authorized_keys
# Add the public key content to authorized_keys
# Transfer the public key from the local machine using scp or copy-paste manually
# Example: scp ~/.ssh/id_rsa.pub user@remote_host:~/.ssh/id_rsa.pub
# Then on the remote host:
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
Note: The authorized_keys file should contain one public key per line.
4. SSH Connection [Local Machine]
You can now connect via SSH using public key authentication.
ssh [username]@[IP_address_or_hostname]
If a passphrase was set, you will be prompted to enter it.
Enter passphrase for key '/Users/[username]/.ssh/id_rsa': # Enter the passphrase
If configured correctly, you can log in to the remote server without a password.