How and Why use ssh-copy-id & ssh-keygen commands in Linux ⋆ AVA.HOSTING

Secure Shell (SSH) is one of the most widely used tools for securely managing and accessing remote systems. Instead of relying on traditional password-based authentication, which is less secure and prone to brute-force attacks, system administrators often configure SSH key-based authentication for better security, scalability, and automation.

This guide explains how to generate SSH keys using ssh-keygen, copy them securely to a remote server using ssh-copy-id, verify the configuration, and follow security best practices.

Understanding SSH Key-Based Authentication

With SSH keys, authentication happens using a public-private key pair:

Private Key (id_rsa) → Stays on your local machine and must be protected.
Public Key (id_rsa.pub) → Placed on the remote server under ~/.ssh/authorized_keys.
When connecting, SSH uses public-key cryptography to authenticate you automatically without exposing passwords.

This method is more secure and more convenient, especially for developers, sysadmins, and automated deployments.

Generating SSH Keys with ssh-keygen

Run the following command to generate a new SSH key pair:

Options explained:

-t rsa → Specifies the encryption algorithm (RSA).
-b 4096 → Uses a 4096-bit key for stronger encryption (recommended).
-C → Adds a comment to identify the key, usually your email or username.

Interactive prompts:

File to save the key → Press Enter to accept the default:
~/.ssh/id_rsa
Passphrase (optional but recommended) → Adds an extra layer of security.
If set, you’ll need to enter it when using the private key.

Copying the Public Key to a Remote Server (ssh-copy-id)

Once the keys are generated, use ssh-copy-id to transfer your public key to the remote server:

user → Username on the remote server.
remote-server → Hostname or IP address of the remote machine.

This command:

Appends your public key (id_rsa.pub) to the server’s:
~/.ssh/authorized_keys
Automatically sets correct permissions for the .ssh directory and key file.

Alternative Method (Manual Setup)

If ssh-copy-id isn’t available, you can manually copy the key:

This command:

Creates the .ssh directory if missing.
Appends your public key.
Sets secure permissions.

Verifying SSH Key Authentication

To confirm everything works:

If configured correctly, you should log in without entering a password.
If a passphrase was set, you’ll be prompted for it instead.

Security Best Practices

a) Use Strong Encryption

Prefer RSA 4096 or Ed25519:
ssh-keygen -t ed25519 -C "your_email@example.com"
Ed25519 keys are smaller, faster, and more secure.

b) Restrict Permissions on Key Files

SSH will refuse to use keys if permissions are too open.

c) Disable Password Authentication (Optional, Recommended)

On the remote server, edit:

Set:

Then restart SSH:

d) Use SSH Agent for Passphrase Management

Instead of typing your passphrase every time, use ssh-agent:

This caches your key for the session.

Troubleshooting Common Issues

Problem	Possible Cause	Solution
Still asks for a password	Wrong permissions or missing key	Check ~/.ssh perms and authorized_keys
“Permission denied” error	Wrong username or IP	Confirm correct login credentials
ssh-copy-id not found	Utility missing	Install via: sudo apt install openssh-client
Key ignored	Too-permissive file permissions	Run chmod 600 ~/.ssh/id_rsa

Conclusion

Using ssh-keygen and ssh-copy-id enhances security and convenience when managing remote servers. By configuring SSH key authentication, administrators can eliminate the risks associated with password-based logins while streamlining secure access.

How and Why use ssh-copy-id & ssh-keygen commands in Linux