DevTools Hub LogoDevTools Hub
Security & Authentication

What is an SSH Key? Understanding Public Key Authentication

Learn about SSH keys - cryptographic keys used for secure authentication to remote servers without passwords.

8 min read
#ssh#ssh-key#security#authentication#encryption#public-key

What is an SSH Key?

An SSH (Secure Shell) key is a pair of cryptographic keys used to authenticate your identity when connecting to remote servers. Instead of using passwords, SSH keys provide a more secure and convenient way to prove your identity. SSH keys are fundamental to modern DevOps workflows, Git operations, and server administration.

How SSH Keys Work

SSH keys use public-key cryptography, also known as asymmetric encryption.

Public and Private Keys

An SSH key pair consists of two mathematically related keys: a public key and a private key.

text
Private Key (id_rsa or id_ed25519):
- Kept secret on your computer
- Never shared with anyone
- Used to prove your identity
- Typically stored in ~/.ssh/

Public Key (id_rsa.pub or id_ed25519.pub):
- Shared with servers you want to access
- Safe to distribute publicly
- Stored on remote servers in ~/.ssh/authorized_keys
- Can be regenerated from private key

Authentication Process

How SSH key authentication works step by step:

text
1. You attempt to connect to a server:
   ssh user@example.com

2. Server sends a challenge encrypted with your public key

3. Your SSH client decrypts the challenge using your private key

4. Client sends the decrypted response back to server

5. Server verifies the response
   - If correct: Access granted
   - If incorrect: Access denied

No password is transmitted over the network!

SSH Key Algorithms

Three main algorithms are commonly used for SSH keys:

RSA (Rivest-Shamir-Adleman)

The oldest and most widely supported algorithm, but requires larger key sizes for security.

bash
Key Sizes: 2048, 3072, 4096 bits
Recommended: 4096 bits for new keys

Generate:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Pros:
+ Universal compatibility
+ Well-tested and trusted

Cons:
- Slower than modern algorithms
- Larger key sizes needed
- Vulnerable to quantum computers (future)

ECDSA (Elliptic Curve DSA)

Faster than RSA with smaller key sizes, but has some security considerations.

bash
Key Sizes: 256, 384, 521 bits
Recommended: 521 bits

Generate:
ssh-keygen -t ecdsa -b 521 -C "your_email@example.com"

Pros:
+ Faster than RSA
+ Smaller key sizes
+ Good performance

Cons:
- NSA involvement in standards (trust concerns)
- Less portable than RSA
- Implementation flaws possible

Ed25519 (EdDSA)

Modern, fast, and secure algorithm. Recommended for new keys.

bash
Key Size: 256 bits (fixed)

Generate:
ssh-keygen -t ed25519 -C "your_email@example.com"

Pros:
+ Fastest algorithm
+ Strong security
+ Small key size (68 characters)
+ Immune to timing attacks
+ Simple implementation (fewer bugs)

Cons:
- Not supported by very old systems
- Relatively new (2011)

Generating SSH Keys

Step-by-step guide to creating SSH keys:

Basic Key Generation

Generate a new Ed25519 key (recommended):

bash
# Generate new key
ssh-keygen -t ed25519 -C "your_email@example.com"

# You'll be prompted for:
# 1. File location (default: ~/.ssh/id_ed25519)
# 2. Passphrase (recommended for extra security)

# Output:
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/user/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Your identification has been saved in /home/user/.ssh/id_ed25519
Your public key has been saved in /home/user/.ssh/id_ed25519.pub

Viewing Your Public Key

Display your public key to add it to servers:

bash
# Display public key
cat ~/.ssh/id_ed25519.pub

# Output example:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl your_email@example.com

# Copy to clipboard (macOS)
pbcopy < ~/.ssh/id_ed25519.pub

# Copy to clipboard (Linux with xclip)
xclip -sel clip < ~/.ssh/id_ed25519.pub

Adding Key to SSH Agent

Use SSH agent to avoid entering passphrase repeatedly:

bash
# Start SSH agent
eval "$(ssh-agent -s)"

# Add your key
ssh-add ~/.ssh/id_ed25519

# Verify keys in agent
ssh-add -l

# macOS: Add to keychain permanently
ssh-add --apple-use-keychain ~/.ssh/id_ed25519

Using SSH Keys

Common use cases and setup procedures:

Adding Key to Server

Manual and automated methods to authorize your key on a server:

bash
# Method 1: Use ssh-copy-id (easiest)
ssh-copy-id user@example.com

# Method 2: Manual copy
cat ~/.ssh/id_ed25519.pub | ssh user@example.com "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

# Method 3: Paste manually
# 1. Copy your public key
# 2. SSH into server
# 3. Edit ~/.ssh/authorized_keys
# 4. Paste the key on a new line
# 5. Set correct permissions:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

GitHub/GitLab Setup

Add SSH key to version control platforms:

bash
# 1. Copy your public key
cat ~/.ssh/id_ed25519.pub

# 2. GitHub:
# Settings → SSH and GPG keys → New SSH key
# Paste key and save

# 3. Test connection
ssh -T git@github.com
# Output: Hi username! You've successfully authenticated...

# 4. Clone repos with SSH
git clone git@github.com:username/repo.git

SSH Config File

Simplify connections with SSH config:

bash
# Create/edit ~/.ssh/config

# Production server
Host prod
  HostName prod.example.com
  User deploy
  IdentityFile ~/.ssh/id_ed25519
  Port 22

# GitHub with specific key
Host github.com
  HostName github.com
  User git
  IdentityFile ~/.ssh/id_ed25519_github

# Now connect easily:
ssh prod  # Instead of ssh deploy@prod.example.com

Security Best Practices

  • Always use a passphrase on your private key for extra security
  • Use Ed25519 for new keys (or RSA 4096 for legacy compatibility)
  • Never share your private key - it should stay on your computer
  • Use different keys for different services (work, personal, GitHub)
  • Set correct permissions: 700 for ~/.ssh/, 600 for private keys, 644 for public keys
  • Disable password authentication on servers once SSH keys are set up
  • Use SSH agent instead of typing passphrase repeatedly
  • Backup your keys securely (encrypted backup)
  • Rotate keys periodically - regenerate keys every 1-2 years
  • Remove old keys from authorized_keys on servers you no longer use

Common SSH Key Locations

Default locations for SSH keys and configuration:

File Structure

Standard SSH directory structure:

text
~/.ssh/
├── id_ed25519           # Private key (keep secret!)
├── id_ed25519.pub       # Public key (share this)
├── id_rsa               # Legacy RSA private key
├── id_rsa.pub           # Legacy RSA public key
├── authorized_keys      # Public keys allowed to access this machine
├── known_hosts          # Fingerprints of servers you've connected to
└── config               # SSH client configuration

Permissions:
drwx------  ~/.ssh/           (700)
-rw-------  id_ed25519        (600)
-rw-r--r--  id_ed25519.pub    (644)
-rw-------  authorized_keys   (600)
-rw-------  config            (600)

Troubleshooting

Common issues and solutions:

Connection Issues

Debug SSH connection problems:

bash
# Verbose connection (shows detailed info)
ssh -v user@example.com
ssh -vv user@example.com  # More verbose
ssh -vvv user@example.com # Maximum verbosity

# Test specific key
ssh -i ~/.ssh/id_ed25519 user@example.com

# Check server's SSH logs
sudo tail -f /var/log/auth.log  # Ubuntu/Debian
sudo tail -f /var/log/secure    # CentOS/RHEL

Permission Errors

Fix incorrect file permissions:

bash
# Fix permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub
chmod 600 ~/.ssh/authorized_keys
chmod 600 ~/.ssh/config

# On server, ensure correct ownership
chown -R $USER:$USER ~/.ssh

Advantages of SSH Keys

  • More Secure: Stronger than passwords, resistant to brute-force attacks
  • Convenient: No need to type passwords for each connection
  • Automation: Enable passwordless scripts and CI/CD pipelines
  • Multiple Keys: Use different keys for different services
  • Revocable: Can remove a key without changing passwords
  • No Network Transmission: Private key never leaves your machine
  • Two-Factor: Passphrase adds second factor of authentication

When to Use SSH Keys

  • Server Administration: Accessing remote Linux/Unix servers
  • Git Operations: Pushing/pulling code from GitHub, GitLab, Bitbucket
  • Automated Deployments: CI/CD pipelines and deployment scripts
  • File Transfers: SCP, SFTP, rsync over SSH
  • Container Management: Accessing Docker containers, Kubernetes pods
  • Database Connections: MySQL, PostgreSQL over SSH tunnel
  • Development: Remote development environments, VS Code Remote SSH

Conclusion

SSH keys are fundamental to secure, modern software development and operations. Understanding how to generate, manage, and use SSH keys properly is essential for developers and system administrators. By following best practices and using modern algorithms like Ed25519, you can ensure secure and convenient access to your servers and services.

Related Tools

Try these tools related to this topic

SSH Key Generator

Generate secure SSH key pairs (RSA, ECDSA, Ed25519)

Hash Generator

Generate cryptographic hashes