Understanding SSH Keys: Secure Server Access Without Passwords

October 17, 2025 Falcon Internet Team 12 views
Understanding SSH Keys: Secure Server Access Without Passwords
Security Tutorials

Introduction: Why SSH Keys Matter

If you manage a VPS or dedicated server, you're probably familiar with logging in via SSH using a password. But did you know there's a more secure method that eliminates passwords entirely?

SSH keys provide cryptographic authentication that's virtually impossible to brute-force. Unlike passwords, which can be guessed or stolen, SSH keys use public-key cryptography to verify your identity. They're more secure, more convenient, and considered best practice for server administration.

In this guide, you'll learn:

  • What SSH keys are and how they work
  • How to generate SSH key pairs on any operating system
  • Installing your public key on servers
  • Managing multiple keys for different servers
  • Best practices for SSH key security
  • Troubleshooting common issues

What Are SSH Keys?

Public-Key Cryptography Basics

SSH keys use asymmetric cryptography, which means you have two mathematically related keys:

  • Private key: Kept secret on your computer, never shared
  • Public key: Placed on servers you want to access, can be shared freely

Think of it like a lock and key system:

  • Your public key is the lock—you can install it on many servers
  • Your private key is the key—only you have it, and it opens all those locks

When you connect to a server:

  1. Server sends a challenge encrypted with your public key
  2. Your computer decrypts it with your private key
  3. Server verifies the response and grants access

This happens in milliseconds and requires no password entry.

SSH Keys vs Passwords

Feature SSH Keys Passwords
Security Extremely secure (2048-4096 bit encryption) Vulnerable to brute-force attacks
Convenience Automatic login, no typing Must type password each time
Brute-force Computationally infeasible Susceptible to automated attacks
Phishing Immune to phishing Can be stolen via phishing
Setup One-time configuration Immediate use

Generating SSH Keys

On Linux and macOS

Both Linux and macOS come with SSH tools built-in. Open your terminal and run:

# Generate a new SSH key pair
ssh-keygen -t ed25519 -C "your_email@example.com"

# Or for maximum compatibility (older servers):
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

What these options mean:

  • -t ed25519: Key type (Ed25519 is modern, secure, and fast)
  • -t rsa -b 4096: Alternative using RSA with 4096-bit key
  • -C "email": Comment to identify the key (optional but helpful)

You'll see prompts like this:

Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/username/.ssh/id_ed25519):

Press Enter to accept the default location, or specify a custom path.

Enter passphrase (empty for no passphrase):

Passphrase recommendation: Use a strong passphrase for extra security. This encrypts your private key, so even if someone steals the file, they can't use it without the passphrase.

Your keys are now generated:

  • Private key: ~/.ssh/id_ed25519 (never share this!)
  • Public key: ~/.ssh/id_ed25519.pub (safe to share)

On Windows

Option 1: Using PowerShell (Windows 10/11)

Modern Windows includes OpenSSH. Open PowerShell and run:

ssh-keygen -t ed25519 -C "your_email@example.com"

Keys will be saved to: C:UsersYourUsername.ssh

Option 2: Using PuTTYgen

  1. Download and install PuTTY
  2. Run PuTTYgen (included with PuTTY)
  3. Select "EdDSA" or "RSA" (4096 bits)
  4. Click "Generate" and move your mouse to create randomness
  5. Add a passphrase for security
  6. Save both private key (.ppk) and public key

Note: PuTTY uses a different format. To use with OpenSSH servers, export as "OpenSSH key".

Viewing Your Public Key

To see your public key contents:

# Linux/macOS:
cat ~/.ssh/id_ed25519.pub

# Windows PowerShell:
type C:UsersYourUsername.sshid_ed25519.pub

You'll see something like:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl your_email@example.com

Installing Your Public Key on Servers

Method 1: Using ssh-copy-id (Easiest)

If you're on Linux or macOS, this is the simplest method:

ssh-copy-id username@server.example.com

Enter your password one last time, and your public key will be installed automatically.

Method 2: Manual Installation

If ssh-copy-id isn't available, do it manually:

Step 1: Copy your public key to clipboard

# Linux (with xclip):
cat ~/.ssh/id_ed25519.pub | xclip -selection clipboard

# macOS:
cat ~/.ssh/id_ed25519.pub | pbcopy

# Windows PowerShell:
type C:UsersYourUsername.sshid_ed25519.pub | clip

Step 2: Log into your server with password:

ssh username@server.example.com

Step 3: Add your public key to authorized_keys:

# Create .ssh directory if it doesn't exist
mkdir -p ~/.ssh
chmod 700 ~/.ssh

# Add your public key (paste the key you copied)
echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... your_email@example.com" >> ~/.ssh/authorized_keys

# Set correct permissions
chmod 600 ~/.ssh/authorized_keys

Important: Permissions must be correct or SSH will refuse to use the key for security reasons.

Method 3: Via Control Panel

Many hosting control panels (including InterWorx) provide SSH key management:

  1. Log into your hosting control panel
  2. Navigate to SSH Key Management or Security section
  3. Paste your public key
  4. Click "Add Key" or "Install"

Check your hosting provider documentation for specific instructions.

Testing Your SSH Key

Now test your key-based authentication:

ssh username@server.example.com

If configured correctly, you'll connect without entering your password (though you may need to enter your key passphrase if you set one).

Troubleshooting: If it still asks for password:

# Check what's happening with verbose mode:
ssh -v username@server.example.com

Look for lines about key authentication. Common issues:

  • Wrong permissions on ~/.ssh or authorized_keys
  • SELinux blocking access (rare)
  • Server not configured to allow key authentication

Managing Multiple SSH Keys

Different Keys for Different Servers

You might want separate keys for work, personal projects, or different clients. Use SSH config file:

# Create/edit ~/.ssh/config
nano ~/.ssh/config

Add entries like this:

# Work VPS
Host work-server
    HostName work.example.com
    User admin
    IdentityFile ~/.ssh/id_work
    Port 22

# Personal server
Host personal
    HostName personal.example.com
    User myuser
    IdentityFile ~/.ssh/id_personal
    Port 2222

# Falcon Internet VPS
Host falcon-vps
    HostName 123.45.67.89
    User root
    IdentityFile ~/.ssh/id_falcon

Now you can connect with simple commands:

ssh work-server
ssh personal
ssh falcon-vps

SSH Agent for Passphrase Management

If you used passphrases (recommended), use ssh-agent to avoid typing them repeatedly:

# Start ssh-agent (usually starts automatically)
eval "$(ssh-agent -s)"

# Add your key
ssh-add ~/.ssh/id_ed25519

# Add all keys:
ssh-add

On macOS, you can store passphrases in Keychain:

ssh-add --apple-use-keychain ~/.ssh/id_ed25519

Security Best Practices

1. Always Use a Passphrase

Encrypt your private key with a strong passphrase. If your computer is compromised, the attacker still can't use your key.

2. Protect Your Private Key

  • Never share your private key with anyone, ever
  • Never upload it to cloud storage, GitHub, etc.
  • Back it up securely (encrypted USB drive, password manager)
  • Use correct permissions: chmod 600 ~/.ssh/id_ed25519

3. Disable Password Authentication

Once SSH keys work, disable password login on your server for maximum security:

# Edit SSH config
sudo nano /etc/ssh/sshd_config

# Change these settings:
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin prohibit-password

# Restart SSH
sudo systemctl restart sshd

Warning: Test SSH key access first! Don't lock yourself out.

4. Use Ed25519 Keys

Ed25519 keys are modern, fast, and secure. They're smaller than RSA keys and considered more secure for equivalent key sizes.

Use RSA 4096-bit only if connecting to older servers that don't support Ed25519.

5. Rotate Keys Periodically

Generate new keys every 1-2 years, especially if:

  • You suspect compromise
  • You've left a company or project
  • Your computer was compromised

6. Use Different Keys for Different Purposes

Don't use the same key for:

  • Production servers and development servers
  • Work and personal projects
  • Different clients or companies

Separate keys limit damage if one is compromised.

7. Remove Old Keys

Periodically audit authorized_keys files on your servers:

cat ~/.ssh/authorized_keys

Remove keys for:

  • Former employees
  • Old computers you no longer use
  • Contractors whose projects ended

Advanced: SSH Key Types Compared

Algorithm Security Speed Compatibility Recommendation
Ed25519 Excellent Very Fast Modern systems ✓ Best choice
RSA 4096 Excellent Slower Universal ✓ For older systems
RSA 2048 Good Fast Universal ⚠ Minimum acceptable
ECDSA Good Fast Modern systems ⚠ Use Ed25519 instead
DSA Weak Fast Legacy ❌ Deprecated

Troubleshooting Common Issues

Issue: Still Asks for Password

Causes:

  • Wrong permissions on files
  • Public key not in authorized_keys
  • Server doesn't allow key authentication

Solutions:

# On server, check permissions:
ls -la ~/.ssh
# Should show: drwx------ (700) for .ssh directory
# Should show: -rw------- (600) for authorized_keys

# Fix permissions:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

# Check if server allows key auth:
sudo grep -i pubkey /etc/ssh/sshd_config
# Should show: PubkeyAuthentication yes

Issue: "Permission Denied (publickey)"

Cause: Server configured for key-only auth, but your key isn't recognized.

Solutions:

# Try with verbose output:
ssh -v username@server.example.com

# Specify key explicitly:
ssh -i ~/.ssh/id_ed25519 username@server.example.com

# Check if correct key is offered:
ssh-add -l

Issue: "Too Many Authentication Failures"

Cause: ssh-agent offering too many keys.

Solution:

# Specify exact key to use:
ssh -o IdentitiesOnly=yes -i ~/.ssh/id_ed25519 username@server.example.com

# Or in ~/.ssh/config:
Host myserver
    IdentitiesOnly yes
    IdentityFile ~/.ssh/specific_key

SSH Keys for Automation and Scripts

SSH keys are essential for automation:

  • Automated backups: Scripts connecting to remote servers
  • Deployment pipelines: CI/CD systems deploying code
  • Monitoring: Systems checking server status
  • Configuration management: Ansible, Puppet, Chef

For automation, generate dedicated keys without passphrases (acceptable since they're used by systems, not humans). Store them securely and limit their access.

Conclusion

SSH keys are the gold standard for server authentication. They provide:

  • Superior security compared to passwords
  • Convenience with automatic login
  • Scalability for managing multiple servers
  • Automation capabilities for scripts and tools

Quick recap:

  1. Generate key pair: ssh-keygen -t ed25519
  2. Install public key on server: ssh-copy-id user@server
  3. Test connection: ssh user@server
  4. Disable password auth for maximum security

All Falcon Internet VPS and Virtual Private Cloud servers support SSH key authentication out of the box. Need help setting up secure server access? Contact our team for assistance.

Ready to put your new SSH skills to use? Check out our guide on securing your Linux server for more security best practices.

Tags

#Security #Tutorial #Linux #SSH #Server Management

Share this article

Twitter Facebook LinkedIn

Related Articles