What Are SSH
Keys and How Do They Work?
SSH servers can authenticate users in multiple ways, with password-based
login being the simplest, yet least secure. While passwords are transmitted in a protected
manner, they often lack the complexity needed to defend against brute-force attacks.
Automated tools can easily crack weak credentials, posing a major risk.
In contrast, SSH key authentication is significantly more secure.
An SSH key pair consists of:
| Private key | Stored securely on your local machine. This must be
kept secret. |
|---|
| Public key | Uploaded to the server, and safe to share. |
|---|
When you try to connect to a remote server, the SSH protocol uses this
key pair to verify your identity. If the server confirms that the private key matches the
stored public key, you’re granted access — no password needed. The public key is placed
inside the user's home directory on the server, specifically in the
~/.ssh/authorized_keys file. When you initiate a connection, the server checks
whether your machine holds the correct private key. If validated, the connection is
established securely.
To add an extra layer of protection, the private key can also be
encrypted on your device with a passphrase. This means even if someone gets hold of your
private key, they still need the passphrase to use it.
Step 1 : Generate SSH Key Pair on Your
Local Machine
To begin securing access to your Linux server with SSH key
authentication, your first task is to generate a new SSH key pair directly on your local
system.
This can be easily done using the ssh-keygen tool, which comes bundled with most Linux
distributions as part of the OpenSSH package. Unless specified otherwise, this utility will
generate a 3072-bit RSA key pair, which is a robust standard for secure authentication.
Open your terminal and run:
You’ll see output similar to:
Generating public/private rsa key pair.
Enter file in which to save the key (/home/your-username/.ssh/id_rsa):
By default, the system suggests saving your new keys in the
~/.ssh/ directory under your home folder. The private key will be saved as
id_rsa, and the corresponding public key will be id_rsa.pub.
Pro Tip from ServerMO:
Stick with the default location unless you have a specific reason not to. This allows
your SSH client to automatically locate your keys when connecting to remote servers.
If you already have an SSH key with the same name, you’ll be prompted
like this:
/home/your-username/.ssh/id_rsa already exists.
Overwrite (y/n)?
Warning:
Overwriting an existing key pair will make the old private key unusable, which means
you’ll lose access to any servers that relied on it unless you’ve added the new public
key beforehand. Only confirm overwrite if you're certain.
The tool may also output:
Created directory '/home/your-username/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Finally, you’ll have the option to secure your private key with a
passphrase. This step is optional but recommended. A passphrase encrypts your private key
locally, adding another layer of protection in case your machine is compromised.
Note:
You can leave it blank if you want quicker logins, but for high-security environments
(like production servers hosted on ServerMO infrastructure), adding a passphrase is a
smart move.
Why Use an SSH Key with a Passphrase?
At this point, you might be asking yourself, “If I still need to type a
passphrase, what’s the real benefit of using SSH keys?”
It’s a great question, and here’s why SSH keys, even with a passphrase, offer superior
security compared to traditional passwords:
1. Your Private Key Never Leaves Your Machine
The private SSH key, which can be optionally protected with a
passphrase, never travels over the network. Instead, the SSH protocol uses cryptographic
methods to verify your identity. Since the private key is decrypted locally and never sent
out, brute-force attacks over the network become impossible, even if someone is sniffing
traffic.
2. Access is Restricted by Permissions
By default, private SSH keys must be stored in a secure directory,
typically ~/.ssh/, and with strict file permissions (600 or owner-only read/write). SSH
clients are smart enough to ignore insecure private keys, making unauthorized snooping by
other local users extremely difficult.
3. Attacker Must Already Have System Access
If someone wants to crack your SSH passphrase, they already need access
to your device or server — a major escalation from remote attacks. Even in this case, the
passphrase acts as a final defense wall, giving you a small but crucial window to rotate
your keys and revoke the compromised one before more damage is done.
4. Passphrase = Extra Security Layer
The passphrase doesn’t replace the private key — it adds an extra layer
of protection in case your private key is somehow leaked or stolen. When used correctly,
this offers a defense-in-depth approach, which is a cornerstone of modern Linux server
security.
Note:
If you're using an SSH agent like ssh-agent, you can unlock your key once per session and
avoid re-entering the passphrase each time — a great balance between security and
convenience.
When you finish creating the key pair, you’ll see output like:
Your identification has been saved in
/home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:CAjsV9M/tt5skazroTc1ZRGCBz+kGtYUIPhRvvZJYBs username@hostname
The key's randomart image is:
+---[RSA 3072]----+
|o ..oo.++o .. |
| o o +o.o.+... |
|. . + oE.o.o . |
| . . oo.B+ .o |
| . .=S.+ + |
| . o..* |
| .+= o |
| .=.+ |
| .oo+ |
+----[SHA256]-----+
Congratulations — you now have a fully functional public/private SSH key
pair on your local machine.
Step 2 : Uploading Your SSH Public Key to
Your ServerMO Server
Before you can enjoy passwordless SSH logins, you’ll need to upload your
public SSH key to your remote server. There are a few different ways to do this, and the
best option depends on your system setup and available tools.
Whether you're using an automated method like ssh-copy-id, a traditional SSH command, or
copying it manually, all approaches have the same end goal: store your public key in the
~/.ssh/authorized_keys file on your remote ServerMO server.
Let’s walk through each method in detail.
Option 1: Copy Your Key Using ssh-copy-id (Recommended)
The easiest and most automated way to copy your public key to a remote
server is using the ssh-copy-id utility. It’s often pre-installed on most Linux systems
(part of the OpenSSH packages).
Requirements:- You must have password-based SSH access
- The utility must be available on your local machine
ssh-copy-id username@your_server_ip
- username with your SSH login (commonly root)
- your_server_ip with your ServerMO server’s IP address
First-Time Connection Message:
You may see this prompt when connecting to a new server:
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be
established.
Are you sure you want to continue connecting (yes/no)? yes
Type yes and press ENTER.
Enter your SSH password (input will be hidden for security). After
verification, the utility will automatically:
- Locate your public key (~/.ssh/id_rsa.pub)
- Create the .ssh directory if it doesn’t exist
- Append your key to the authorized_keys file on the remote server
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '
[email protected]'"
Congratulations! Your key is now installed and ready to use.
Option 2: Copying Your Key via Standard SSH Command
If ssh-copy-id isn’t available, you can upload your key manually using a
one-liner that utilizes SSH and shell redirection.
cat ~/.ssh/id_rsa.pub | ssh username@your_server_ip "mkdir -p
~/.ssh && cat >>
~/.ssh/authorized_keys"
This command:
- Displays your public key
- Connects to the server via SSH
- Ensures the .ssh directory exists
- Appends your key to authorized_keys without overwriting other keys
Just Like Before:
- You’ll be prompted to confirm authenticity and enter your password.
- Once authenticated, your key will be securely added to the server.
Option 3: Manually Upload Your Public Key
If you don’t have direct SSH access with a password (e.g., your server
is in recovery mode or accessed via a web console), you can manually copy and paste your
public key.
Step 1: Show Your Public Key (Local Machine)
You’ll see output like this:
ssh-rsa AAAAB3... user@your-pc
Copy the entire key string to your clipboard.
Step 2: Access Remote Server Console
Use your hosting provider’s web-based console or direct terminal access
to log into your ServerMO server.
Step 3: Prepare the .ssh Directory
Step 4: Paste the Public Key
Run the following command on the remote server:
echo "your_copied_ssh_key_here" >> ~/.ssh/authorized_keys
Be sure to replace the placeholder with the full key you copied earlier
(it usually starts with ssh-rsa or ssh-ed25519)
Final Step: Test Your SSH Key Login
From your local system, try logging into your server:
ssh username@your_server_ip
If everything is set up correctly, you’ll connect without being asked
for a password.
ServerMO Security Tip:
We always recommend setting strict permissions after uploading SSH keys.
On your server, run:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
This ensures only the appropriate user can access your SSH
configurations.
Step 3 : Logging Into Your Server Using SSH Keys
Once your public SSH key has been successfully copied to your server
using any of the previous methods, you’re ready to log in securely, without a password.
Step 3 : Logging Into Your Server Using SSH Keys
Open your terminal and use the following SSH command to initiate the
login:
ssh username@your_server_ip
Note:
Tip from ServerMO: Replace username with the actual user account on the remote server and
your_server_ip with your server’s IP address or domain name.
If this is your first time connecting to the server, you may see a
message like this:
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be
established.
ECDSA key fingerprint is ...
Are you sure you want to continue connecting (yes/no)?
This simply means your local system hasn't seen this server before. Type
yes and press ENTER to continue.
Successful Key-Based Authentication
- If your private key has no passphrase, you’ll be logged in immediately.
- If you set a passphrase when generating your SSH key, you’ll be prompted to enter it now
for verification.
Once authenticated, your terminal will open a secure shell session with
your server. Now that SSH key authentication is working, it's time to take your server's
security a step further.
Step 4 : Securing Your Server by Disabling Password-Based SSH
Login
While you now have secure SSH key access, password authentication is
still active by default, which leaves your server open to brute-force attacks. Disabling it
locks down unauthorized login attempts.
Important: Before You Proceed
Make absolutely sure:- SSH key-based login works flawlessly.
- You have access to a user with sudo privileges.
- You’re not locked out after disabling password login.
Once confirmed, let’s proceed.
1. Log Into Your Server via SSH
Use your SSH key to connect:
ssh username@your_server_ip
2. Edit the SSH Configuration File
Use your favorite text editor to modify the SSH daemon config file:
sudo nano /etc/ssh/sshd_config
Locate the line that says #PasswordAuthentication yes and change it to:
PasswordAuthentication no
If the line is commented out (starts with #), remove the # to uncomment
it.
Information:
ServerMO Tip: This change tells your SSH server to reject any password-based login
attempts, further hardening your system.
3. Save and Restart the SSH Service
To apply the change, restart the SSH daemon:
sudo systemctl restart ssh
Congratulations! Your ServerMO-hosted machine now accepts only key-based
authentication, blocking password attacks at the gate.
