Software & Apps Linux How to Use SSH Key Authentication Secure your server by requiring SSH keys for remote logins by Jack Wallen Writer Jack Wallen is a former Lifewire writer, an award-winning writer for TechRepublic and Linux.com, and the voice of The Android Expert. our editorial process LinkedIn Jack Wallen Updated on March 17, 2020 Linux Switching from Windows Tweet Share Email Normally, when you log into a remote server with SSH, you do so using a username and password combination. However, using a password is limited to the length of password you can remember or are willing to type. With SSH key authentication, an encrypted passphrase offers more secure credentials than are practical with a standard password. The cryptographic strength in SSH key authentication goes beyond what a standard password can match. Generate Your SSH Key Open a terminal window on the client machine you plan to use to log in to your server, then issue the command: ssh-keygen Next, you're prompted to enter a filename for your new key. It's recommended that you accept the default (~/.ssh/id_rsa). Then, select and verify a passphrase. Make this passphrase a strong one. When the command completes, your key is ready to use. Copy Your Key to the Server Use SSH to copy your key to the remote server. Issue the command: ssh-copy-id USER@SERVER_IP Where USER is the username, and SERVER_IP is the IP address of the server you want to log in to. You're prompted for the USER password. After you successfully authenticate, the SSH key copies and you can log in to the server in the normal way. Because the client you are logging in from has the matching key that is now on the server, you'll be logged in. Repeat this process on every client machine that needs to SSH into the server. Lock It Down It's considered a best security practice to disable password authentication into servers, relying solely on SSH key authentication. Modify the SSH daemon configuration accordingly. Open the configuration file by executing: sudo nano /etc/ssh/sshd_config In that file, look for the line: #PasswordAuthentication yes Un-comment the line by removing the hashtag, then change yes to no. Next, look for the line: #PubkeyAuthentication yes Un-comment that line as well. Save and close the file. Restart the SSH daemon with the command: sudo systemctl restart sshd Now, if you attempt to SSH into that server from any client that does not contain a matching SSH Key, you will be denied access. Where Is the SSH Key Stored? Log onto the server to which you copied your keys. Issue the command: less ~/.ssh/authorized_keys You'll see all of the keys you sent from clients (using the ssh-copy-id command). To revoke SSH key authentication from a particular client, delete the lines that correspond with the client's hostname (the hostname is the last bit of information in the key).