Configure SSH key authentication

Why use SSH keys?

SSH keys are more secure than passwords:

• Virtually impossible to brute-force
• Not transmitted over the network
• Allow passwordless access
• Can be revoked individually

Step 1: Generate ed25519 keys

ssh-keygen -t ed25519 -C "your-email@example.com"

Press Enter for the default path. Enter a secure passphrase.

Generated files:

• ~/.ssh/id_ed25519 → private key (never share)
• ~/.ssh/id_ed25519.pub → public key (goes to server)

Step 2: Copy to server

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@your-server

Manual method:

# On the server
mkdir -p ~/.ssh && chmod 700 ~/.ssh
echo 'YOUR_PUBLIC_KEY' >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Step 3: Disable password authentication

Edit /etc/ssh/sshd_config:

PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no

sudo systemctl restart sshd

SSH Agent

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

Multiple keys for different servers

Create ~/.ssh/config:

Host production
  HostName 203.0.113.10
  User deploy
  IdentityFile ~/.ssh/id_ed25519_prod
  Port 2222

Host staging
  HostName 203.0.113.20
  User deploy
  IdentityFile ~/.ssh/id_ed25519_staging

Connect with: ssh production

Key rotation

Every 6-12 months:

1. Generate a new key pair
2. Add the new public key to the server
3. Verify it works
4. Remove the old key from authorized_keys
5. Delete old key files locally

Recommendations

• Always use ed25519 (more secure and faster than RSA)
• Protect private keys with a passphrase
• Never push private keys to repositories
• Use different keys for different services
• Periodically review authorized_keys