Configuring authorization by SSH keys on a Linux server

SSH key authentication is a modern and secure way to connect to a Linux-based server. It beats traditional passwords in terms of security and convenience, especially if you regularly work with remote systems. In this guide, we'll walk you through the setup process step by step, from key creation to increased security and automation. You'll learn how to organize access, avoid mistakes, and make your work with the server efficient and secure.

What SSH keys are and why they are better than passwords

SSH (Secure Shell) is a protocol for secure remote access to servers. Typically, a password is used to log in, but it is vulnerable: it can be forgotten, brute-force attacked, or intercepted with weak encryption. SSH keys solve these problems by replacing the password with a cryptographic pair: a public key and a private key.
The public key is placed on the server, while the private key stays with you and is never transmitted over the network. When you connect, the server verifies the key matches using mathematical algorithms. This method eliminates the risk of password leakage and allows you to automate login, which is especially valuable for system administrators, developers and DevOps specialists.

Benefits of SSH keys:

• High resistance to attack;
• Convenience of automatic connection;
• Flexibility to manage access for multiple users or devices.

Generating an SSH key pair

Key creation

First, you need to generate keys on your local device. This is done using the ssh-keygen utility available on Linux, macOS and Windows (with Git Bash or WSL).

Open a terminal and execute:
ssh-keygen -t rsa -b 4096
Let's break down the parameters:

• -t rsa — specifies the encryption algorithm. RSA is one of the most common and secure options;
• -b 4096 — defines the key length in bits. 4096 is the modern standard for high security.

The system will ask for the path to save the files. The default is ~/.ssh/id_rsa (private key) and ~/.ssh/id_rsa.pub (public key). If the keys already exist, specify a different path, for example:
ssh-keygen -t rsa -b 4096 -f ~/.ssh/my_new_key -C "my_new_key"

Password protection of the key

You will be asked to enter a password for the private key. This is optional, but highly recommended: if someone gains access to your device, the key will be useless without the password. Use a complex password (12+ characters, letters, numbers, special characters). You will then receive two files and a fingerprint for authentication.

Check the files created:
ls -l ~/.ssh

Transferring the public key to the server

If you have the ssh-copy-id utility, use it:
ssh-copy-id -i ~/.ssh/id_rsa.pub user@server_address

• -i ~/.ssh/id_rsa.pub — the path to the public key;
• user@server_address — username and IP/domain (for example, [email protected]).

After entering the current server password, the key will be added to the ~/.ssh/authorized_keys.

Manual method

If the ssh-copy-id command is missing, you can manually copy the key using the following command:
cat ~/.ssh/id_rsa.pub | ssh username@server_address "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
Make sure that the permissions for the ~/.ssh directory on the server are set correctly:

• Folder ~/.ssh: privileges 700;
• File authorized_keys: privileges 600.

Connection testing

Try to connect:
ssh user@server_addressThe login will be automatic if no key password is set. Otherwise, enter the key password. Verify that everything is working.

Use debug mode if something went wrong:
ssh -v user@server_addressThe log will show where the error is (for example, wrong permissions or missing key).

Improving server security

Disabling password login

Open /etc/ssh/sshd_config:
nano /etc/ssh/sshd_configSet:

PasswordAuthentication no

Note: Check the key login first, otherwise access will be lost.

Changing the SSH port

Change the port in /etc/ssh/sshd_config (for example, to 2222):

Port 2222

Restart the service:
systemctl restart sshd
Check the status:
systemctl status sshd

Typical errors and their correction

Setting up SSH keys can sometimes be tricky. Here are some common errors and how to fix them:

Error: "Permission denied (publickey)"

This means that the server did not accept your key. Check the following:

1. Is the public key correctly copied to ~/.ssh/authorized_keys;
2. Access rights: execute
   chmod 700 ~/.ssh ; chmod 600 ~/.ssh/authorized_keys
3. File owner: make sure the files belong to the user
   chown user:group ~/.ssh -R

Error: "Agent admitted failure to sign"

SSH agent problem. Restart it:
eval "$(ssh-agent -s)"
Then add the key:
ssh-add ~/.ssh/id_rsa

Connection freezes

Perhaps the server requires the key password and you didn't see it. Make sure you are using the correct key, or check the log:
ssh -v user@server_address

Automating work with SSH

Customizing aliases

Create the file ~/.ssh/config:

Host dev
HostName dev.example.com
User devuser
Port 2222
IdentityFile ~/.ssh/dev_key

Connect:
ssh dev
Using SSH keys, you can automate various tasks such as:

• Backup data over SSH using rsync;
• Automatically execute scripts and commands on a remote server;
• Configuration management and application deployment using Ansible or other automation tools.

Useful tips

• Store the private key on encrypted media;
• Use ssh-add for key management;
• Try connecting to the test server and share your experience in the comments.

Conclusion

Setting up authorization by SSH keys significantly increases the security and convenience of working with Linux servers. By following these steps and recommendations, you will ensure reliable protection of your servers and simplify management processes.