SSH Key Authentication Guide: Ditch Passwords, Secure Your VPS
Typing your password every time you SSH into a VPS gets old fast. Worse, password-based login is a security liability — brute force attacks, keyloggers, and man-in-the-middle exploits can all compromise your server.
SSH key authentication solves both problems at once. Set it up once, never type a password again, and enjoy security that's orders of magnitude stronger than any password.
This guide walks you through the entire process from scratch.
What Is SSH Key Authentication
The Problem with Passwords
Traditional password login has several critical weaknesses:
| Issue | Consequence |
|---|---|
| Passwords can be brute-forced | Simple passwords cracked in minutes |
| Passwords travel over the network | Risk of interception |
| Same password across servers | One breach compromises everything |
| Manual entry is slow | Can't be used for automation |
How Key Authentication Works
SSH key authentication is built on asymmetric cryptography — a mathematically linked pair of keys:
- Private Key: Lives only on your computer. Never share it.
- Public Key: Placed on the server. Safe to share freely.
Think of it as a lock and a key:
The authentication handshake:
- Your computer initiates an SSH connection
- The server sends a random challenge
- Your computer signs the challenge with the private key
- The server verifies the signature with the public key — match means access granted
Throughout this process, your private key never leaves your machine and is never transmitted over the network. Even if someone intercepts the communication, they can't forge a signature without the private key.
Why "asymmetric"? Because encryption and verification use different keys. Data signed with the private key can only be verified by the matching public key, and vice versa. This is fundamentally different from symmetric encryption (like AES) where the same secret is used for both operations.
Why It's More Secure Than Passwords
| Comparison | Password Auth | Key Auth |
|---|---|---|
| Brute force | Feasible (weak passwords especially) | Virtually impossible (2²⁵⁶ combinations) |
| Network exposure | Password transmitted over wire | Private key never leaves local machine |
| Automation | Requires extra tools (sshpass, etc.) | Native automation support |
| Multi-server | Remember password per server | One key accesses many servers |
| Theft risk | Phishing/social engineering works | Requires physical access to your device |
Generating an SSH Key Pair
Choosing an Algorithm
Current mainstream SSH key algorithms:
| Algorithm | Key Length | Security | Recommendation |
|---|---|---|---|
| Ed25519 | 256 bit | Excellent | ⭐⭐⭐ Top choice |
| RSA | 4096 bit | Strong | ⭐⭐ Good compatibility |
| ECDSA | 256/384/521 bit | Strong | ⭐ Acceptable |
| DSA | 1024 bit | Weak | ❌ Deprecated |
Go with Ed25519 — it's shorter, faster, and more secure. Only fall back to RSA when connecting to very old servers (OpenSSH < 6.5).
Generating on Windows
Open PowerShell (Win + X → Terminal):
Interactive prompts:
A passphrase adds an extra layer of protection to your private key. If set, you'll need to type it each time the key is used. For personal development, leaving it empty is fine. For production keys, consider setting one.
This creates two files:
Generating on Linux/Mac
The exact same command:
Files are created in ~/.ssh/.
Viewing Your Public Key
Output looks like:
This is what goes on your server.
Configuring Passwordless Login on Your VPS
Method 1: ssh-copy-id (Recommended)
On Linux/Mac, one command does everything:
This automatically appends your public key to the server's ~/.ssh/authorized_keys file. You'll need to enter your password once (the last time!).
Method 2: Windows Manual Transfer
Windows doesn't have ssh-copy-id, so use this instead:
Also requires your password one final time.
Method 3: Fully Manual
If neither method above works (unusual network setups, etc.):
Setting Correct Permissions
This step is critically important! SSH enforces strict file permissions. If they're wrong, key authentication silently fails and falls back to password — you might not even realize the setup didn't work.
On your VPS:
Permission reference:
| File/Directory | Permission | Meaning |
|---|---|---|
~/.ssh/ | 700 | Owner can read, write, execute only |
~/.ssh/authorized_keys | 600 | Owner can read and write only |
| Private key file | 600 | Owner can read and write only |
| Public key file | 644 | Owner read/write, others read |
Verifying It Works
If you're logged in without being prompted for a password — you're done! 🎉
Troubleshooting Common Issues
Still Being Asked for Password
Diagnostic checklist:
Most common causes and fixes:
| Cause | Fix |
|---|---|
~/.ssh not 700 | chmod 700 ~/.ssh |
authorized_keys not 600 | chmod 600 ~/.ssh/authorized_keys |
| Home directory too permissive | chmod 755 ~ |
PubkeyAuthentication set to no | Change to yes, then systemctl restart sshd |
| Line breaks or extra spaces in key | Delete and re-paste as a single unbroken line |
Disabling Password Login (Optional Hardening)
Once you've confirmed key login works, you can disable password authentication entirely to prevent brute force attacks:
Find and modify these lines:
Then restart SSH:
Confirm key login works BEFORE disabling passwords! Otherwise you'll lock yourself out of your server. Keep your current SSH session open, open a new terminal, and verify key-based login succeeds before making this change.
Managing Multiple Servers
When you have several VPS instances, an SSH config file simplifies connections dramatically.
Creating an SSH Config File
Windows: C:\Users\YourName\.ssh\config
Linux/Mac: ~/.ssh/config
Usage
With the config in place, connections become trivially short:
Works with scp and sftp too:
Key Management Strategies
Solo Developer
One key pair for everything is perfectly fine:
When Isolation Matters
When a compromised key needs to have limited blast radius — generate separate key pairs for different purposes:
Then specify each in your ~/.ssh/config:
Wrapping Up
SSH key authentication boils down to three steps:
- Generate a key pair:
ssh-keygen -t ed25519 - Put the public key on the server: Append to
~/.ssh/authorized_keys - Fix permissions:
.sshdirectory 700,authorized_keysfile 600
Remember the mental model: public key is the lock, private key is the key. You can install the lock on as many doors as you like (multiple servers), but only you hold the key (never share your private key).
Once configured, you'll enjoy both password-free convenience and dramatically improved security. To go further:
- Disable password login entirely — key-only authentication
- Install
fail2banto block SSH brute force scanners - Change the default SSH port (22 → something else)
- Add a passphrase to your key for defense in depth