What SSH key authentication is
SSH key authentication replaces the password you type when you connect to a server with a cryptographic key pair: a private key that stays on your computer and a public key that you place on the server. When you connect, the two are matched mathematically without ever sending a secret over the network. It is both more convenient (no password to type) and far more secure than a password, which can be guessed or brute-forced.
This is the first thing to do after you launch a Skyline Cloud VPS or cloud server. The steps below target Ubuntu 22.04 LTS and 24.04 LTS, but they apply with minor changes to almost any Linux server.
Prerequisites
- A server you can already reach over SSH, with a user that has
sudoprivileges. On a fresh Skyline Cloud VPS this is usuallyrootor a user you created at provisioning. - A terminal on your own machine: the Terminal app on macOS or Linux, or PowerShell / Windows Terminal on Windows 10/11 (OpenSSH ships built in).
Step 1 — Generate a key pair on your local machine
Run this on your own computer, not on the server:
ssh-keygen -t ed25519 -C "you@example.com"
We use -t ed25519 because Ed25519 keys are modern, fast, and secure with a short key. The -C flag just adds a comment (your email) so you can identify the key later. If you must support an older system that lacks Ed25519, use a strong RSA key instead:
ssh-keygen -t rsa -b 4096 -C "you@example.com"
Press Enter to accept the default file location (~/.ssh/id_ed25519). When prompted for a passphrase, set a strong one. The passphrase encrypts your private key on disk, so a stolen laptop does not hand over server access. You will only type it once per session if you use an agent (Step 5).
This creates two files:
| File | Role | Share it? |
|---|---|---|
~/.ssh/id_ed25519 |
Private key | Never share this |
~/.ssh/id_ed25519.pub |
Public key | Safe to copy to servers |
Step 2 — Copy the public key to your server
The easiest method is ssh-copy-id, which appends your public key to the server's ~/.ssh/authorized_keys and fixes permissions for you:
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@your_server_ip
You will be asked for your password one last time. Replace user with your server username (e.g. root or ubuntu) and your_server_ip with your VPS IP address.
If ssh-copy-id is not available
On Windows, or if the tool is missing, install the key manually. Display the public key:
cat ~/.ssh/id_ed25519.pub
Copy the single line of output, log in to the server with your password, and run:
mkdir -p ~/.ssh && chmod 700 ~/.ssh
echo "ssh-ed25519 AAAA... you@example.com" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
Paste your own key line in place of the example. Correct permissions matter: SSH ignores authorized_keys if the file or ~/.ssh directory is too open.
Step 3 — Test the key login
Open a new terminal and connect:
ssh user@your_server_ip
If you set a passphrase, your system prompts for it (not the server password). You should land on the server's command prompt. Keep this session open while you do the next step, so a mistake cannot lock you out.
Step 4 — Disable password authentication
Once key login works, turn off passwords so brute-force attempts become useless. On the server, edit the SSH daemon config:
sudo nano /etc/ssh/sshd_config
Find and set these lines (remove any leading #):
PasswordAuthentication no
PubkeyAuthentication yes
On Ubuntu 22.04/24.04, also check the drop-in directory /etc/ssh/sshd_config.d/ — a file there (for example 50-cloud-init.conf) can override the main file. Make sure no file sets PasswordAuthentication yes:
sudo grep -r PasswordAuthentication /etc/ssh/sshd_config /etc/ssh/sshd_config.d/
Then validate the config and reload the service:
sudo sshd -t
sudo systemctl restart ssh
The service is named
sshon Ubuntu (ssh.service). Ifrestart sshreports no such unit, usesudo systemctl restart sshd.
Now open another new terminal and confirm you can still log in with your key. Only close your original session after the new one succeeds.
Step 5 — Use an SSH agent (optional but recommended)
So you don't retype the passphrase every connection, load the key into the agent once per session:
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519
On macOS, store it in the keychain so it persists across reboots:
ssh-add --apple-use-keychain ~/.ssh/id_ed25519
Step 6 — A tidy SSH config (optional)
Add an entry to ~/.ssh/config on your local machine so you can connect with a short alias:
Host skyline-vps
HostName your_server_ip
User ubuntu
IdentityFile ~/.ssh/id_ed25519
Now ssh skyline-vps is all you need.
Troubleshooting
- Still asked for a password after Step 2. Permissions are wrong. On the server run
chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys, and check the file is owned by your user. Permission denied (publickey). The server isn't offering your key, or you copied it to the wrong user's home directory. Add-vto see what SSH tries:ssh -v user@your_server_ip.- Locked out after disabling passwords. Use your provider's console (the web-based VNC/serial console in your control panel) to log in and re-enable
PasswordAuthenticationtemporarily.
Run it on a managed, in-Kingdom VPS
SSH keys protect the connection, but the box itself still needs patching, backups, and monitoring. On a Skyline Cloud VPS or cloud server you get hardware hosted inside Saudi Arabia for PDPL, NCA and SDAIA data-residency requirements, local Arabic support, and managed options that handle OS hardening and cloud backups for you. Pair it with business email hosting on the same in-Kingdom platform and your whole stack stays compliant.
Ready to deploy a secure server in minutes? Create your Skyline Cloud account and launch a VPS today.
Comments
0 total · 0 threads