Skip to main content

Add-SSH-Key-AUTH-to-your-server

You can configure this by adding both public keys to the user's authorized_keys file on the server, and then editing the SSH configuration file to disable password logins.

⚠️ Important: Before you disable password authentication, you must confirm that you can successfully log in with at least one SSH key. If you don't, you will lock yourself out of your server.

Step 1: Generate SSH Keys on Your Client Machines

You need two separate key pairs. You will perform this step on each of your two client machines (let's call them Client A and Client B).

  1. Open a terminal on Client Machine A.
  2. Run the following command to generate a modern and secure Ed25519 key. 
    ssh-keygen -t ed25519
  3. Press Enter to accept the default file location (~/.ssh/id_ed25519).
  4. Enter a strong passphrase when prompted. This passphrase protects your private key and is highly recommended.
  5. Repeat these same steps on Client Machine B. This will create a second, unique key pair.

Step 2: Add Both Public Keys to the Server

The easiest and safest way to copy your public keys to the server is using the ssh-copy-id command.

  1. From Client Machine A, run this command, replacing user and your_server_ip with your details. It will ask for your user's password one last time. 
    ssh-copy-id user@your_server_ip
  2. Now, from Client Machine B, run the exact same command. 
    ssh-copy-id user@your_server_ip

This utility automatically finds the correct file on the server (~/.ssh/authorized_keys) and appends each public key to it on a new line. It also sets the correct directory and file permissions.

Step 3: Test Key-Based Logins

Before going further, confirm you can log in from both machines using your keys.

From both Client A and Client B, run:

ssh user@your_server_ip

It should now log you in without asking for your server password. If you set a passphrase for your key, it will ask for that instead.

Step 4: Disable Password Authentication on the Server

Now you'll edit the main SSH daemon configuration file.

  1. Log into your server (using one of your keys).

  2. Open the configuration file with a text editor like nano:

    sudo nano /etc/ssh/sshd_config

  3. Find the line that says PasswordAuthentication yes. It might be commented out with a #.

  4. Uncomment it (if necessary) and change yes to no.

    # Change this line
    PasswordAuthentication yes

    # To this
    PasswordAuthentication no

  5. It's also good practice to disable challenge-response authentication, which can sometimes act like a password prompt. Ensure this line is also set to no.

    ChallengeResponseAuthentication no

  6. Save the file and exit the editor (in nano, press Ctrl+X, then Y, then Enter).

Step 5: Apply the Changes

For the new settings to take effect, you must restart the SSH service.

sudo systemctl restart sshd

Step 6: Final Verification

Finally, confirm everything works as expected.

  1. Test Key Login: In a new terminal, log in from both Client A and Client B. They should continue to work perfectly. 🔑
  2. Test Password Login: Try to log in from a new terminal using a password. The server should immediately reject the attempt with a message like Permission denied (publickey).