Using password authentication for SSH works but it's not ideal. Passwords can be guessed or brute forced. SSH keys are much more secure and convenient once set up.
In this tutorial, you'll learn how to generate an SSH key pair (public and private) and configure your VPS to accept key authentication.
What You Need
- A VPS with root or sudo access (check our VPS reviews if you don't have one)
- A local computer with terminal (Mac/Linux) or WSL/PowerShell (Windows)
- About 5 minutes
Step 1: Generate an SSH Key Pair on Your Local Machine
Open your terminal and run this command:
ssh-keygen -t ed25519 -C "your_email@example.com"
What this does:
- ed25519 is the key type (more secure than RSA).
- The -C flag adds a label (your email) so you remember which key is which.
You'll be asked where to save the key. Press Enter to accept the default location (~/.ssh/id_ed25519).
Then you'll set a passphrase. This is optional but recommended. If someone steals your private key, they still need the passphrase to use it.
After this step, you'll have two files:
- ~/.ssh/id_ed25519 (your private key, never share this)
- ~/.ssh/id_ed25519.pub (your public key, goes on the server)
Step 2: Copy Your Public Key to the VPS
Method A: Using ssh-copy-id (easiest, Mac/Linux)
ssh-copy-id username@your_server_ip
Enter your password when prompted. The command automatically adds your public key to the server's authorized_keys file.
Method B: Manual copy (if ssh-copy-id not available)
First, display your public key:
cat ~/.ssh/id_ed25519.pub
Copy the output (it starts with "ssh-ed25519" and ends with your email).
Then log into your VPS:
ssh username@your_server_ip
Create the .ssh directory if it doesn't exist:
mkdir -p ~/.ssh
chmod 700 ~/.ssh
Add your public key to authorized_keys:
echo "paste_your_public_key_here" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
Step 3: Test Key Authentication
Exit your current SSH session:
exit
Then try logging in again:
ssh username@your_server_ip
If you set a passphrase, you'll be prompted for that. Otherwise you should log in without being asked for your account password.
If it works, proceed to Step 4. If not, check that the public key was copied correctly and that file permissions are right (.ssh is 700, authorized_keys is 600).
Step 4: Disable Password Authentication (Optional but Recommended)
Once you confirm key authentication works, you can disable password login entirely. This prevents brute force attacks.
On your VPS, edit the SSH config file:
sudo nano /etc/ssh/sshd_config
Find these lines and change them to:
PasswordAuthentication no
ChallengeResponseAuthentication no
PermitRootLogin no (optional, for security)
Save the file (Ctrl+X, then Y, then Enter).
Restart the SSH service:
sudo systemctl restart sshd
Before closing your current session, open a second terminal window and test logging in. This ensures you haven't locked yourself out. Keep the working session open as a backup until you confirm everything works.
Troubleshooting Common Issues
"Permission denied (publickey)"
- Did you copy the public key (ending .pub) to the server?
- Check file permissions on the server: ls -la ~/.ssh/
- Try using ssh -v username@ip for verbose output
Key still asks for password
- Password authentication might still be enabled. Go back to Step 4.
- Your key might have been copied to the wrong user's home directory.
ssh-keygen command not found
- On Windows, install Git Bash or WSL. On Linux/Mac, install openssh-client if missing.
Next Steps
Now that SSH keys are set up, your VPS is much more secure. Consider these additional security measures:
- Set up a firewall (UFW or iptables)
- Install fail2ban to block repeated failed attempts
- Regularly update your system with
sudo apt update && sudo apt upgrade
Need a VPS to practice on? Check our recommended VPS providers.
Leave a comment below if you run into any issues.