How To Set Up SSH Keys

At Remoteler, we advocate SSH certificates over SSH keys and passwords as the best authentication method for SSH. Nothing beats the security and operational flexibility of using certificate-based authentication for a large fleet of SSH servers running on the dynamic infrastructure. But in practice, certificate-based authentication is far from the de facto authentication method, and sometimes we may need to use SSH keys. For example, in my daily workflow, I use SSH keys when accessing DigitalOcean servers or to check repositories in my GitHub personal account because SSH keys are the default available methods (alongside passwords). So it helps to learn the best way to generate and use SSH keys.

This post is targeted toward individuals who need to generate and manage SSH keys and keep them secure for day-to-day tasks. If you are looking for a way to add SSH key-based authentication in your organization, stop! Certificates provide greater flexibility and security over keys, and open-source Remoteler makes it super easy and secure to implement them. Give it a try.

Now, let’s get to the topic!

How to generate SSH Keys 

The SSH key generation process is handled by the OpenSSH helper program ssh-keygen. The types of keys supported by OpenSSH are:

  1. dsa: Key generated with Discrete Logarithm Problem & Modular Exponentiation algorithm.
  2. ecdsa: Key generated with Elliptic Curve Discrete Logarithm Problem algorithm.
  3. ecdsa-sk: Same as ecdsa but with an option to store the keys in FIDO/U2F devices.
  4. ed25519: Key generated with Edwards-curve Digital Signature algorithm.
  5. ed25519-sk: Same as ed25519 but with an option to store the keys in FIDO/U2F devices.
  6. rsa: Key generated with Rivest–Shamir–Adleman algorithm.

So what is the recommended SSH key generation algorithm? The two most popular options for key generation are either rsa or ed25519. The ed25519 algorithm offers more cryptographically strong keys while rsa is the most widely supported algorithm. If you are generating a key for modern SSH servers, go with ed25519.

To generate an SSH key of type ed25519, we invoke the ssh-keygen command with a -t flag as follows:

The default key size is 256 bits. To use higher bits, you can use the -b flag as the following:

By default, SSH keys are placed in the ~/.ssh/ directory, but this is optional and you can place them anywhere you want to.

The following is an example of the full steps of the key generation process using type ed25519:

You will receive a public key and a private key. You will only need to upload the public key to the servers you need to access. The private key must be kept securely on your machine.

Copying your public key to an SSH server

In SSH, key-based authentication is based on asymmetric cryptography, and the authenticity of the user is based on signature validation. First, the server needs to trust the public key. This is done by copying the public key to the server’s ~/.ssh/authorized_keys file. Then for authentication, the user’s SSH client signs a random message with the private key, which the server verifies using the public key.

To copy the user’s public key to the server, OpenSSH has a built-in helper ssh-copy-id. Using the ssh-copy-id command, we can easily add the public key to the remote server, automatically copying the key into the ~/.ssh/authorized_keys file.

The terminal output text should be:

or services like GitHub, we need to paste the content of the public key on their website. For this, we can use pbcopyxclip, or a text editor.

Using SSH Config file

When you have multiple keys and different usernames for different SSH servers, it can be tedious to enter long SSH commands. The SSH config file ~/.ssh/config helps to customize and, in some instances, automate the SSH access process. For example, we can predefine a host so that the following SSH command:

can be shortened to:

To achieve this, we update the config file(~/.ssh/config) with the following option:

This is just one example, but you can configure many other options such as the specific encryption algorithms for a given host, configuration of the SSH agent, use of ProxyJump, custom port definition, etc. Basically, every feature supported by the OpenSSH client can be preconfigured using a config file. Read our prior blog on using ssh client config files for more details.

Working with SSH agents

For security reasons, you should always protect your private keys using a passphrase. This is supported by ssh-keygen which asks you for a passphrase during the key generation process. Some users may find a requirement to enter a passphrase annoying. In other situations, a third party program might need to access the keys for automation purposes and a passphrase can be a blocker. To reduce the pain in these scenarios, OpenSSH offers ssh-agent, a helper program that automates the key management process and relieves you from entering passphrase every time for SSH access.

To add the private key to SSH agent, first ensure that the ssh-agent program is running. You can start the program with the following command:

Then to add the private key, we use the ssh-add helper program with the following command:

SSH agents have their fair share of security risks, and I recommend reading our dedicated blog on how to use SSH agent securely.


In this post, I have listed a few of the most common tasks related to SSH key management that help in the day-to-day SSH access. Although it will help you get started using SSH key-based access, SSH supports numerous configuration options for keys that we did not discuss. I recommend you read the following man pages related to SSH key management:

  1. OpenSSH guide on key-based authentication:
  2. ssh-keygen
  3. ssh-agent
  4. ssh-add
  5. ssh_config
Implement certificate-based authentication for your SSH servers

As mentioned earlier, certificate-based authentication provides security and operational flexibility for a large fleet of SSH servers running in a dynamic environment. Learn more about how Remoteler helps implement SSH certificate-based authentication for your SSH infrastructure.

P.S. Remoteler is free and open-source and perfectly integrates with existing OpenSSH servers.

Try Remoteler Today!