Setting up SSH Public Key Authentication

SSH public key authentication lets you log in to a remote Linux server without needing to type a password. Instead SSH uses a key pair:

• Private key: id_ed25519 - stays on your local computer and should never be shared
• Public key: id_ed25519.pub - copied to the remote server

When you try to connect, your private key is used to authenticate you, and if your public key is set up correctly on the server, you are allowed to log in.

You can read more about SSH public key authentication here:

• SSH Public Key Authentication

• Never share your private key.
• It is safe to share your public key.
• Your public key file usually ends in .pub.
• Confirm that SSH key login works before password login is disabled.
• If you need help, contact SocIT at socit@uci.edu.

If you already have an SSH key pair, you can usually reuse it (skip to step 3 below) instead of generating a new one.

Use the code below to see if you already have files such as id_ed25519 and id_ed25519.pub.

Open PowerShell or Windows Terminal and run:

dir $env:USERPROFILE\.ssh

Open Terminal and run:

ls ~/.ssh

If you do not already have an SSH key, create one using ssh-keygen.

Open PowerShell or Windows Terminal. Run:

ssh-keygen -t ed25519

You will see prompts similar to this (simply press Enter to proceed with the default file names and without encrypting your key):

Generating public/private key pair.
Enter file in which to save the key (C:\Users\YourUsername/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase:

The default key files are:

#private key
C:\Users\YourUsername\.ssh\id_ed25519
#public key
C:\Users\YourUsername\.ssh\id_ed25519.pub

Open Terminal. Run:

ssh-keygen -t ed25519

You will see prompts similar to this (simply press Enter to proceed with the default file names and without encrypting your key):

Generating public/private key pair.
Enter file in which to save the key (/home/user/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase:

The default key files are:

#private key
~/.ssh/id_ed25519
#public key
~/.ssh/id_ed25519.pub

If you typed a password above during key generation, then your private key is encrypted and you will be prompted for a password every time you try to use the key. This is an optional security feature, but not something covered by this guide.

Your public key must be added to this file on the remote Linux server:

~/.ssh/authorized_keys

Use a method below to distribute your public key to the server:

If you would like help, contact SocIT at socit@uci.edu. Please include:

• The server name you want to connect to
• Your username on that server
• The contents of your public key file. You can paste the contents of id_ed25519.pub into the body of the email, or attach the file.

• NOTE: Never share your private key

Use this method if password login is currently enabled on the remote server.

The ssh-copy-id command automatically installs your public key on the server. Run this command from your local computer:

ssh-copy-id username@remotehost

Replace:

• username with your username on the remote server
• remotehost with the server hostname

You will be prompted for your password on the remote server. If the command is not found, use Option A: Ask SocIT for Help.

Use this method if you can physically access the remote server console or otherwise log in locally.

1. Copy the contents of id_ed25519.pub, it should be one long line like:

   ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExampleKeyDataHere my-laptop

2. On the remote server console, log in as your user account and run:

   mkdir -p ~/.ssh
   touch ~/.ssh/authorized_keys
   chmod 700 ~/.ssh
   chmod 600 ~/.ssh/authorized_keys

3. Then append your public key to authorized_keys:

   echo "PASTE_YOUR_PUBLIC_KEY_HERE" >> ~/.ssh/authorized_keys

After your public key has been added to the server, test your login from your local computer:

ssh username@remotehost

If you entered a password when generating your key, then you will be prompted for this password in order to decrypt your private key. This is different from your user account password.

Use this section if you are an administrator adding someone else's public key to their user account. Modify these values as needed:

USERNAME=panteater
TMP_PUBKEY_FILE="/tmp/id_ed25519.pub"
 
USER_HOME=/home/panteater
SSH_DIR="$USER_HOME/.ssh"
AUTHKEY_FILE="$SSH_DIR/authorized_keys"
 
# Create .ssh directory and authorized_keys file
sudo mkdir -p "$SSH_DIR"
sudo touch "$AUTHKEY_FILE"
 
# Add the key only if it is not already present
if ! sudo grep -Fxq -f "$TMP_PUBKEY_FILE" "$AUTHKEY_FILE"; then
  cat "$TMP_PUBKEY_FILE" | sudo tee -a "$AUTHKEY_FILE" > /dev/null
fi
 
# Set correct permissions and ownership
sudo chmod 700 "$SSH_DIR"
sudo chmod 600 "$AUTHKEY_FILE"
sudo chown -R "$USERNAME":"$USERNAME" "$SSH_DIR"
 
# Remove temporary public key file
rm -f "$TMP_PUBKEY_FILE"

For more detailed troubleshooting output, use:

ssh -vv username@remotehost

This can help identify any issues when logging in.

• Do not share your private key.
• Only share your public key, the file ending in .pub.
• Use a passphrase on your private key if you want extra protection.
• Confirm SSH key login works before disabling password authentication.
• If password authentication will be disabled on a server, make sure all remote users have working SSH keys first.