Password authentication is fundamentally flawed for SSH. Even strong passwords can be compromised through brute-force attacks, keyloggers, or credential stuffing. Key-based authentication eliminates these risks.
Generate SSH Key Pair
On your local machine (not the server):
# Generate ED25519 key (recommended in 2025)
# Alternative: RSA 4096-bit key for older systemsWhy ED25519? It’s faster, more secure, and uses shorter keys than RSA. I’ve switched all my infrastructure to ED25519 and never looked back.
Deploy Public Key to Server
# Copy your public key to the serverssh-copy-id -i ~/.ssh/id_prod_server.pub username@server_ip
# Manual method if ssh-copy-id isn't availablecat ~/.ssh/id_prod_server.pub | ssh username@server_ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"Test Key Authentication
Before disabling password authentication, verify key-based login works:
ssh -i ~/.ssh/id_prod_server username@server_ipIf you can log in without entering a password, you’re good to proceed.
Set Correct Permissions
SSH is strict about permissions. Incorrect permissions will cause authentication to fail:
# On the serverchmod 700 ~/.sshchmod 600 ~/.ssh/authorized_keyschmod 600 ~/.ssh/id_ed25519 # if private key is on serverNext Steps
With key-based authentication working, proceed to the SSH Daemon Hardening guide to lock down your sshd_config with production-ready security settings.