LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How does SSH public key authentication work?

The client proves its identity by signing a challenge with its private key; the server verifies that signature using the matching public key it already trusts — no password ever crosses the wire.

Key authentication rests on an asymmetric key pair: a private key that never leaves the client, and a public key that is freely copied to every server you want to reach. The two are mathematically linked — anything signed by the private key can be verified by the public key, but you cannot derive the private key from the public one.

What actually happens at login:

  1. The server finds your public key in its ~/.ssh/authorized_keys and sends a random challenge.
  2. The client signs that challenge with its private key (the key may itself be passphrase-protected).
  3. The server verifies the signature against the stored public key. A valid signature proves the client holds the private key, so it grants access.

(This is separate from the host key step earlier in the handshake, where the server proves its identity to the client and gets recorded in known_hosts.)

Key locations:

Key Location Shared?
Private key Client: ~/.ssh/id_rsa Never share!
Public key Server: ~/.ssh/authorized_keys Safe to share

Why use keys over passwords?

  • More secure (can't be brute-forced)
  • Enables passwordless automation
  • Can be revoked per-device
  • Required by many production servers

Generate keys:

ssh-keygen -t rsa -b 4096
ssh-copy-id user@server

Go deeper:

From Quiz: LIOS / User Management and Permissions | Updated: Jul 14, 2026