Using an SSH key to log in to your server is considered more secure than a password. Nowadays, if you’re still using RSA SSH keys, you’re encouraged to switch to ed25519 ones because ed25519 is more secure and much faster. This tutorial will show you how to generate an ed25519 SSH key and upload the public key to your server properly.
Generating an ed25519 SSH key
You can generate an ed25519 SSH key with a comment using the following command. Usually, the comment in an SSK key is an email address.
ssh-keygen -t ed25519 -C "firstname.lastname@example.org"
You’ll be asked where to save the SSH key file. We’ll use the default location and filename to keep things simple. And then enter a passphrase. If you don’t want to set a passphrase, just leave it empty by pressing enter twice. You are encouraged to set one though.
A pair of SSH keys are generated in the
id_ed25519 is the private key that you should keep securely as if it’s your ATM card, and
id_ed25519.pub is the public one that you’ll upload to your server for logging in using an SSH key instead of a password.
Generating public/private ed25519 key pair. Enter file in which to save the key ($HOME/.ssh/id_ed25519): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in $HOME/.ssh/id_ed25519 Your public key has been saved in $HOME/.ssh/id_ed25519.pub
Uploading the public key to your server
Upload the newly-generated public key to your server using the command below where
user is your username and
hostname is your server IP. You’ll be prompted to enter the password accordingly.
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@hostname
If you’re using a different SSH port for security purposes, you can specify the SSH port in the command like so. Given it’s port 2222 in this example.
ssh-copy-id -p 2222 -i ~/.ssh/id_ed25519.pub user@hostname
Disabling password authentication in the SSH configuration file
Open the SSH configuration file located at /etc/ssh/sshd_config in your server.
sudo vi /etc/ssh/sshd_config
Find these options, set them to
no , and uncomment them to disable password authentication for logging in to your server.
PasswordAuthentication no ChallengeResponseAuthentication no
Make sure you don’t lock yourself out of the server, and restart the SSH service to reload the configuration file.
sudo systemctl restart ssh