// Tutorial //

How To Set Up SSH Keys on Ubuntu 12.04

Published on June 22, 2012 · Updated on December 15, 2021
Default avatar
How To Set Up SSH Keys on Ubuntu 12.04
Not using Ubuntu 12.04?Choose a different version or distribution.


The Secure Shell Protocol (or SSH) is a cryptographic network protocol that allows users to securely access a remote computer over an unsecured network.

Though SSH supports password-based authentication, it is generally recommended that you use SSH keys instead. SSH keys are a more secure method of logging into an SSH server, because they are not vulnerable to common brute-force password hacking attacks.

Generating an SSH key pair creates two long strings of characters: a public and a private key. You can place the public key on any server, and then connect to the server using an SSH client that has access to the private key.

When the public and private keys match up, the SSH server grants access without the need for a password. You can increase the security of your key pair even more by protecting the private key with an optional (but highly encouraged) passphrase.

Note: If you are looking for information about setting up SSH keys in your DigitalOcean account, please refer to our DigitalOcean product documentation on SSH Keys

Step 1 — Creating the Key Pair

The first step is to create a key pair on the client machine. This will likely be your local computer. Type the following command into your local command line:

  1. ssh-keygen -t ed25519
Generating public/private ed25519 key pair.

You will see a confirmation that the key generation process has begun, and you will be prompted for some information, which we will discuss in the next step.

Note: if you are on an older system that does not support creating ed25519 key pairs, or the server you’re connecting to does not support them, you should create a strong rsa keypair instead:

  1. ssh-keygen -t rsa -b 4096

This changes the -t “type” flag to rsa, and adds the -b 4096 “bits” flag to create a 4096 bit key.

Step 2 — Specifying Where to Save the Keys

The first prompt from the ssh-keygen command will ask you where to save the keys:

Enter file in which to save the key (/home/sammy/.ssh/id_ed25519):

You can press ENTER here to save the files to the default location in the .ssh directory of your home directory.

Alternately, you can choose another file name or location by typing it after the prompt and hitting ENTER.

Step 3 — Creating a Passphrase

The second and final prompt from ssh-keygen will ask you to enter a passphrase:

Enter passphrase (empty for no passphrase):

It’s up to you whether you want to use a passphrase, but it is strongly encouraged: the security of a key pair, no matter the encryption scheme, still depends on the fact that it is not accessible to anyone else.

Should a private key with no passphrase fall into an unauthorized user’s possession, they will be able to log in to any server you’ve configured with the associated public key.

The main downside to having a passphrase — typing it in — can be mitigated by using an ssh-agent service, which will temporarily store your unlocked key and make it accessible to the SSH client. Many of these agents are integrated with your operating system’s native keychain, making the unlocking process even more seamless.

To recap, the entire key generation process looks like this:

  1. ssh-keygen -t ed25519
Generating public/private ed25519 key pair. Enter file in which to save the key (/home/sammy/.ssh/id_ed25519): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/sammy/.ssh/id_ed25519 Your public key has been saved in /home/sammy/.ssh/id_ed25519.pub The key fingerprint is: SHA256:EGx5HEXz7EqKigIxHHWKpCZItSj1Dy9Dqc5cYae+1zc sammy@hostname The key's randomart image is: +--[ED25519 256]--+ | o+o o.o.++ | |=oo.+.+.o + | |*+.oB.o. o | |*. + B . . | | o. = o S . . | |.+ o o . o . | |. + . ... . | |. . o. . E | | .. o. . . | +----[SHA256]-----+

The public key is now located in /home/sammy/.ssh/id_ed25519.pub. The private key is now located in /home/sammy/.ssh/id_ed25519.

Step 4 — Copying the Public Key to Your Server

Once the key pair is generated, it’s time to place the public key on the server that you want to connect to.

You can copy the public key into the server’s authorized_keys file with the ssh-copy-id command. Make sure to replace the example username and address:

  1. ssh-copy-id sammy@your_server_address

Once the command completes, you will be able to log into the server via SSH without being prompted for a password. However, if you set a passphrase when creating your SSH key, you will be asked to enter the passphrase at that time. This is your local ssh client asking you to decrypt the private key, it is not the remote server asking for a password.

Step 5 — Disabling Password-based SSH Authentication (Optional)

Once you have copied your SSH keys onto the server, you may want to completely prohibit password logins by configuring the SSH server to disable password-based authentication.

Warning: before you disable password-based authentication, be certain you can successfully log onto the server with your SSH key, and that there are no other users on the server using passwords to log in.

In order to disable password-based SSH authentication, open up the SSH configuration file. It is typically found at the following location:

  1. sudo nano /etc/ssh/sshd_config

This command will open up the file within the nano text editor. Find the line in the file that includes PasswordAuthentication (or create the line if it doesn’t exist), make sure it is not commented out with a # at the beginning of the line, and change it to no:

PasswordAuthentication no

Save and close the file when you are finished. In nano, use CTRL+O to save, hit ENTER to confirm the filename, then CTRL+X to exit.

Reload the sshd service to put these changes into effect:

  1. sudo systemctl reload sshd

Before exiting your current SSH session, make a test connection in another terminal to verify you can still connect.


In this tutorial we created an SSH key pair, copied our public key to a server, and (optionally) disabled password-based authentication completely.

For more information about SSH and the SSH service, including how to set up multifactor authentication, please read our related tutorials:

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in our Questions & Answers section, find tutorials and tools that will help you grow as a developer and scale your project or business, and subscribe to topics of interest.

Sign up
About the authors
Default avatar
Developer and author at DigitalOcean.

Default avatar
Developer and author at DigitalOcean.

Still looking for an answer?

Was this helpful?

For those who are trying to add a new key to an existing droplet - READ THIS!!!

If you are getting the “Permission denied (publickey)” when trying to copy your public key to the server, you likely have password authentication disabled in your droplet.

How to fix this: Log in to your DigitalOcean account and open the console for the drop you are trying to access. While inside the console do the following:

sudo vim /etc/ssh/sshd_config 

Scroll down to the very bottom and look for the following directives:

UsePAM yes
IgnoreUserKnownHosts no 
PasswordAuthentication no 

If UsePAM is set to ‘yes’ and PasswordAuthentication is set to ‘no’ change those to the opposite. It should read the following:

UsePAM no
IgnoreUserKnownHosts no 
PasswordAuthentication yes 

Then press esc, type : (colon), and type wq and hit enter
This will quit vim editor.

Now type reload ssh

Now go back to your terminal or putty and pick up at the step where it has you copying your local rsa public key to the server. You should now be presented with a request for a password instead of public key denied. Type in your droplet password and hit enter. You should know be inside your server.

Now you can change those settings back from Putty or Terminal by typing the following:

sudo vim /etc/ssh/sshd_config 

Change the directives back to what they were and press esc, type : (colon), and type wq and hit enter

reload ssh Again.

Now you can quit the session by typing exit and try to login with just ssh by typing: ssh username@dropletIP.

Now you should be able to access your server via SSH with your newly created SSH key!

This was a PITA to figure out, but that is what got it all done for me.

On a Mac you first need to do this brew install ssh-copy-id

If you don’t have ssh-copy-id but you have brew (osx)

brew install ssh-copy-id
ssh-copy-id user@

Without the simple command ssh-add this tutorial will drive you absolutely mad.

I would add that “PermitRootLogin without-password” only applies to root exclusively, and no other users, which is misleading, because all users are mentioned in the article:

“Within that file, find the line that includes PermitRootLogin and modify it to ensure that users can only connect with their SSH key:”

I tested myself, you can still log in with a password for non-root users, hence brute-force attacks are possible.

To disable password authentication, you must uncomment this line:

PasswordAuthentication no

There is an article about SSH login without password which in very detailed explanation. http://namhuy.net/2433/ssh-login-without-password.html

which one you prefer dsa or rsa?

OK, finally got a 'nix friend to help out. What I needed to do was to login with:

ssh -i ~/.ssh/digitalocean_rsa user@host

I’m on MacOS Mavericks and my droplet is Ubuntu 12.04.3. I generated a separate key name for this and I needed to confirm that this key was in my known_hosts file on my client machine. But none of it worked until I did the login passing in my private key and it added it to my Mac keychain.

You make a great tutorials, but you starting from recommendation changing ssh port, and that’s makes impossible to send the ssh key to remote host using the method you provide here… The same like you recomend to disable root login but don’t provide any solution how to manage files using sftp client, where you can’t “su root” to see the files.

Just a note on Debian, reload isn’t recognized, had to use sudo /etc/init.d/ssh restart