ssh-key authentication


When connecting to a remote server, you have to authenticate yourself. The standard way to do this is by transmitting a password through an encrypted connection that is established between your local computer and the remote server. However, this is susceptible to man-in-the-middle attacks, meaning that your password can be intercepted. It is safer to use ssh-keys to authenticate yourself (note: this only verifies that you are the correct person to the server, not that the server you are logging into is the correct one. For that, you need to check the fingerprint of the server – which can be done automagically if you have signed gpg keys and are using the monkeysphere.

how to set up an ssh-key for your local machine

On your local computer, you can generate a key by doing the following:

client:~$ ssh-keygen -t rsa -b 2048
Enter passphrase (empty for no passphrase): …
Enter same passphrase again: …

This creates both a public and a private key:

client:~$ ls -l .ssh
-rw------- 1 user user  1675 2007-01-24 14:41 id_rsa
-rw------- 1 user user   395 2007-01-24 14:41

how to set up the ssh-key on the remote server

You should send `` to the server administrator. Alternatively, if you have access, you can place it on the server yourself:

client:~$ scp .ssh/ user@remote.server:/home/user/

Then, you need to place it in your `authorized_keys` file:
client:~$ ssh remote.server
server:~$ cat >> .ssh/authorized_keys

You should now be able to login using your ssh-key!


Using ssh-keys, a file on your local computer is used as a key to ‘unlock’ your access to the remote server. However, this file is also protected by a passphrase. Thus, when you are entering your password, you only enter it into your local computer to unlock this file, rather than transmitting it across the internet – where it could potentially be intercepted. This greatly reduces the opportunities for an attacker to gain access to your account on the remote server (for example, through trying ‘dictionary attacks’ when the attacker tries to guess your password by using pre-existing lists of words).