Quiz Entry - updated: 2026.07.05
How do you switch from password to key-based SSH authentication?
Generate a key pair, push the public half to the server with ssh-copy-id, confirm key login works, then turn off PasswordAuthentication — in that order, so you never lock yourself out.
The sequence matters because the last step closes the password door behind you. If you disable passwords before confirming your key works, and the key is misconfigured, you have no way back in.
Steps to set up key-based authentication:
# 1. Generate key pair on client
ssh-keygen -t rsa -b 4096
# 2. Copy public key to server
ssh-copy-id user@server
# 3. Test key-based login
ssh user@server
# 4. (Optional) Disable password auth on server
sudo vim /etc/ssh/sshd_config
Important sshd_config settings:
# Disable root SSH login
PermitRootLogin no
# Require key auth
PasswordAuthentication no
After config changes:
sudo systemctl restart sshd
Best practices:
- Disable root login (
PermitRootLogin no) - Disable password auth after keys work
- Use
ssh-agentto cache key passphrase - Use strong passphrase on private key
Warning: Test key login works BEFORE disabling password auth, or you may lock yourself out!
Go deeper:
sshd_config(5) — PasswordAuthentication, PubkeyAuthentication, PermitRootLogin — the exact directives, defaults and allowed values.