Secure Shell (SSH) is one of the most widely used tools for securely managing and accessing remote systems. Instead of relying on traditional password-based authentication, which is less secure and prone to brute-force attacks, system administrators often configure SSH key-based authentication for better security, scalability, and automation.

This guide explains how to generate SSH keys using ssh-keygen, copy them securely to a remote server using ssh-copy-id, verify the configuration, and follow security best practices.

Understanding SSH Key-Based Authentication

With SSH keys, authentication happens using a public-private key pair:

  • Private Key (id_rsa) → Stays on your local machine and must be protected.
  • Public Key (id_rsa.pub) → Placed on the remote server under ~/.ssh/authorized_keys.
  • When connecting, SSH uses public-key cryptography to authenticate you automatically without exposing passwords.

This method is more secure and more convenient, especially for developers, sysadmins, and automated deployments.

Generating SSH Keys with ssh-keygen

Run the following command to generate a new SSH key pair:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Options explained:

  • -t rsa → Specifies the encryption algorithm (RSA).
  • -b 4096 → Uses a 4096-bit key for stronger encryption (recommended).
  • -C → Adds a comment to identify the key, usually your email or username.

Interactive prompts:

  • File to save the key → Press Enter to accept the default:
    ~/.ssh/id_rsa

  • Passphrase (optional but recommended) → Adds an extra layer of security.
    If set, you’ll need to enter it when using the private key.

 Copying the Public Key to a Remote Server (ssh-copy-id)

Once the keys are generated, use ssh-copy-id to transfer your public key to the remote server:

ssh-copy-id user@remote-server
  • user → Username on the remote server.
  • remote-server → Hostname or IP address of the remote machine.

This command:

  • Appends your public key (id_rsa.pub) to the server’s:

    ~/.ssh/authorized_keys
  • Automatically sets correct permissions for the .ssh directory and key file.

Alternative Method (Manual Setup)

If ssh-copy-id isn’t available, you can manually copy the key:

cat ~/.ssh/id_rsa.pub | ssh user@remote-server "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

This command:

  • Creates the .ssh directory if missing.
  • Appends your public key.
  • Sets secure permissions.

Verifying SSH Key Authentication

To confirm everything works:

ssh user@remote-server
  • If configured correctly, you should log in without entering a password.

  • If a passphrase was set, you’ll be prompted for it instead.

Security Best Practices

a) Use Strong Encryption

  • Prefer RSA 4096 or Ed25519:

    ssh-keygen -t ed25519 -C "your_email@example.com"
  • Ed25519 keys are smaller, faster, and more secure.

b) Restrict Permissions on Key Files

chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub

SSH will refuse to use keys if permissions are too open.

c) Disable Password Authentication (Optional, Recommended)

On the remote server, edit:

sudo nano /etc/ssh/sshd_config

Set:

PasswordAuthentication no

ChallengeResponseAuthentication no
UsePAM yes

Then restart SSH:

sudo systemctl restart ssh

d) Use SSH Agent for Passphrase Management

Instead of typing your passphrase every time, use ssh-agent:

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_rsa

This caches your key for the session.

Troubleshooting Common Issues

ProblemPossible CauseSolution
Still asks for a passwordWrong permissions or missing keyCheck ~/.ssh perms and authorized_keys
“Permission denied” errorWrong username or IPConfirm correct login credentials
ssh-copy-id not foundUtility missingInstall via: sudo apt install openssh-client
Key ignoredToo-permissive file permissionsRun chmod 600 ~/.ssh/id_rsa

Conclusion

Using ssh-keygen and ssh-copy-id enhances security and convenience when managing remote servers. By configuring SSH key authentication, administrators can eliminate the risks associated with password-based logins while streamlining secure access.