SSH Key Authentication Setup
SSH key authentication replaces password-based login with cryptographic keys, providing stronger security and more convenient access. This guide covers adding your public key to a server, verifying the setup, and optionally disabling password authentication.
Prerequisites
Before setting up key authentication, ensure you have:
- An SSH key pair (public and private key) — see Generating SSH Keys
- SSH access to your server (currently via password)
- Root or sudo access for disabling password authentication
Step 1: Copy Your Public Key to the Server
Method A: ssh-copy-id (Easiest)
On Linux and macOS, use the ssh-copy-id utility:
ssh-copy-id -i ~/.ssh/id_ed25519.pub username@your-server-ipEnter your password when prompted. The utility automatically:
- Creates the
~/.sshdirectory on the server if needed - Sets correct permissions
- Appends your public key to
~/.ssh/authorized_keys
Method B: Manual Copy
If ssh-copy-id is not available (e.g., Windows):
- Display your public key locally:
```
cat ~/.ssh/id_ed25519.pub
```
- Copy the entire output (starts with
ssh-ed25519orssh-rsa) - SSH into your server with your password:
```
ssh username@your-server-ip
```
- Create the
.sshdirectory and authorized_keys file:
```
mkdir -p ~/.ssh
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
```
- Paste your public key into the authorized_keys file:
```
echo "ssh-ed25519 AAAA...your-key-here... [email protected]" >> ~/.ssh/authorized_keys
```
Method C: Via Control Panel
If you use cPanel or DirectAdmin:
- cPanel: Navigate to Security > SSH Access > Manage SSH Keys > Import Key
- DirectAdmin: Navigate to Account Manager > SSH Keys > Add New
Step 2: Test Key Authentication
Open a new terminal window (keep your existing session open as a backup) and connect:
ssh username@your-server-ipIf key authentication is working correctly:
- You will be prompted for your key passphrase (if you set one), NOT your server password
- Or you will be logged in directly if using ssh-agent or no passphrase
Tip: Always test in a new terminal window before disabling password authentication. If key auth fails, you still have your existing session to fix the issue.
Step 3: Disable Password Authentication (Recommended)
Once you have confirmed key authentication works, disable password login for maximum security:
- Open the SSH configuration file:
```
sudo nano /etc/ssh/sshd_config
```
- Find and modify these settings:
```
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
```
- Ensure public key authentication is enabled:
```
PubkeyAuthentication yes
```
- Save the file and restart SSH:
```
sudo systemctl restart sshd
```
Tip: Before restarting SSH, open a second SSH session. If the configuration has an error, your second session lets you fix it without being locked out.
Managing Multiple Keys
You can add multiple public keys to authorized_keys — one per line. This allows different devices or team members to access the server:
ssh-ed25519 AAAA... user1@laptop
ssh-ed25519 AAAA... user1@desktop
ssh-ed25519 AAAA... user2@laptopTo revoke access for a specific key, simply remove its line from the file.
SSH Config File for Convenience
Create or edit ~/.ssh/config on your local machine to simplify connections:
Host myserver
HostName your-server-ip
User username
IdentityFile ~/.ssh/id_ed25519
Port 22Now connect with just:
ssh myserverTroubleshooting
Still Being Asked for Password
- Check permissions on the server:
```
ls -la ~/.ssh/
```
- .ssh directory: drwx------ (700)
- authorized_keys: -rw------- (600)
- Home directory: must not be writable by group/others
- Check SSH server configuration:
```
sudo grep -i pubkey /etc/ssh/sshd_config
```
Ensure PubkeyAuthentication yes is set.
- Check the SSH log for errors:
```
sudo tail -50 /var/log/auth.log # Ubuntu/Debian
sudo tail -50 /var/log/secure # AlmaLinux/Rocky
```
Locked Out After Disabling Passwords
- Access your server via the VNC/noVNC console in your client portal
- Log in as root via the console
- Re-enable password authentication in
/etc/ssh/sshd_config - Restart sshd and fix your key setup
Key Authentication Works for Root but Not User
- The user's home directory must be owned by that user
- Check AuthorizedKeysFile in sshd_config — default is
%h/.ssh/authorized_keys - SELinux may be blocking access:
restorecon -Rv ~/.ssh
Related Articles
Need help with SSH key authentication? Contact our support team at {{SUPPORT_EMAIL}} or open a ticket at {{SUPPORT_URL}}.