LochStudios  /  Help Centre  /  VPS & Linux  /  Secure SSH with key-based authentication and disable password login

Secure SSH with key-based authentication and disable password login

Replace SSH passwords with key-based authentication and disable password login for stronger security.

Updated

Key-based SSH authentication is far more secure than passwords and allows you to log in without typing a password each time. This guide shows you how to set it up and disable password login entirely.

Generate an SSH Key Pair

SSH keys consist of two parts: a private key (kept on your computer) and a public key (placed on your VPS). The server uses these to verify your identity.

On macOS or Linux:

1. Generate a key pair
```bash
ssh-keygen -t ed25519 -C "youruser@your-server-ip"
```
Replace the email-like part with a label for your VPS (e.g., admin@myvps).

2. Accept the default location
- Press Enter when asked "Enter file in which to save the key"
- This saves to ~/.ssh/id_ed25519

3. Set a passphrase (optional but recommended)
- Enter a passphrase to protect the key, or press Enter to skip
- A passphrase adds a second layer of security (you'll type it once per session if you use ssh-agent)

The public key is saved as ~/.ssh/id_ed25519.pub.

On Windows (using Windows Terminal or PowerShell):

1. Generate a key pair
```powershell
ssh-keygen -t ed25519 -C "youruser@your-server-ip"
```

2. Accept the defaults
- Press Enter when asked for the file location
- This saves to C:\Users\YourUsername\.ssh\id_ed25519

  1. Set a passphrase (optional but recommended)

Copy the Public Key to Your VPS

The public key (.pub file) needs to be on your server so it can recognize your private key.

Automatic method (macOS/Linux):

1. Copy the key using ssh-copy-id
```bash
ssh-copy-id -i ~/.ssh/id_ed25519.pub youruser@your-server-ip
```
This automatically adds your public key to the correct location on the server.

  1. Enter your password when prompted (one last time!)

Manual method (all platforms):

1. Display your public key
```bash
cat ~/.ssh/id_ed25519.pub
```

  1. Copy the output (the entire single-line string starting with ssh-ed25519)
  1. Connect to your VPS via SSH using your password (as usual)

4. Add the key to your VPS
```bash
mkdir -p ~/.ssh
nano ~/.ssh/authorized_keys
```

  1. Paste your public key into the file (make sure it's a single line)
  1. Save by pressing Ctrl + X, then Y, then Enter

7. Set permissions
```bash
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
```

Test Key-Based Login

1. Disconnect from your current SSH session
```bash
exit
```

2. Try logging in with your key
```bash
ssh youruser@your-server-ip
```
- If you set a passphrase, you'll be prompted for it (not your VPS password)
- If it works, you're ready for the next step

3. Don't close this session yet!
- Keep it open while you disable passwords (so you have a backup if something goes wrong)

Disable Password-Based Login

Once key-based login works, disable password login to prevent attackers from guessing your password.

1. Edit the SSH configuration (in your open SSH session)
```bash
sudo nano /etc/ssh/sshd_config
```

  1. Find and modify these lines (use Ctrl + W to search)

- Find PasswordAuthentication yes and change it to:
```
PasswordAuthentication no
```

- Find PubkeyAuthentication and ensure it says:
```
PubkeyAuthentication yes
```

- (Optional) Find PermitRootLogin and change it to:
```
PermitRootLogin no
```

3. Save the file
- Press Ctrl + X, then Y, then Enter

4. Reload SSH
```bash
sudo systemctl restart ssh
```

5. Test in a new terminal window before closing your current one
- Open a new terminal/PowerShell on your local machine
- Try to log in:
```bash
ssh youruser@your-server-ip
```
- If it works, your old session is just a safety net—you can close it

Optional: Disable SSH on Non-Standard Ports (Advanced)

By default, SSH listens on port 22. You can move it to a less obvious port to reduce spam attacks:

1. Edit /etc/ssh/sshd_config and find the line Port 22
```bash
sudo nano /etc/ssh/sshd_config
```

2. Change it to a different port (e.g., Port 2222)
- Choose a port above 1024 that isn't already in use

  1. Open the port in your firewall (see Set up a UFW firewall on Ubuntu)

4. Reload SSH
```bash
sudo systemctl restart ssh
```

5. Update your connection string
- From now on, connect with the -p flag:
```bash
ssh -p 2222 youruser@your-server-ip
```

Troubleshooting

"Permission denied (publickey)"
- Verify the public key is in ~/.ssh/authorized_keys on the server
- Check that file permissions are exactly 600 and ~/.ssh is 700
- Ensure the key is a single line with no extra spaces

Can't connect after disabling passwords
- Use a recovery console provided by your hosting company
- Or restore /etc/ssh/sshd_config from a backup and try again

Passphrase prompt every time I SSH
- On macOS/Linux, use ssh-agent to cache your passphrase:
```bash
eval $(ssh-agent -s)
ssh-add ~/.ssh/id_ed25519
```
- On Windows, the SSH Agent service handles this automatically (Services app)

What's Next?

  • Set up a firewall to further restrict network access (Set up a UFW firewall on Ubuntu)
  • Configure fail2ban to block repeated failed login attempts
  • Regularly update your system packages

Was this article helpful?

← Back to VPS & Linux