Password authentication can be compromised through brute-force, keyloggers, or credential stuffing. Keys eliminate all of that.
Generate Key Pair
On your local machine — not the server:
# ED25519 recommendedssh-keygen -t ed25519 -C "your_email@example.com" -f ~/.ssh/id_prod_server
# RSA fallback for older systemsssh-keygen -t rsa -b 4096 -C "your_email@example.com" -f ~/.ssh/id_prod_serverED25519 is faster, more secure, and uses shorter keys than RSA. I’ve switched all my infrastructure to it.
Deploy Public Key
ssh-copy-id -i ~/.ssh/id_prod_server.pub username@server_ip
# If ssh-copy-id isn't availablecat ~/.ssh/id_prod_server.pub | ssh username@server_ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"Test Before Disabling Passwords
ssh -i ~/.ssh/id_prod_server username@server_ipConfirm you can log in without a password before touching anything else.
Fix Permissions
SSH won’t use keys with incorrect permissions:
chmod 700 ~/.sshchmod 600 ~/.ssh/authorized_keyschmod 600 ~/.ssh/id_ed25519Next Steps
Proceed to the SSH Daemon Hardening guide.