Ubuntu 18.04 Setup SSH Public Key Authentication

See all Ubuntu Linux related FAQ
I am a new Ubuntu 18.04 LTS user and I would like to setup ssh public key authentication. How do I set up ssh keys based authentication on Ubuntu Linux 18.04 LTS server? How do I set up SSH keys on an Ubuntu Linux 18.04 LTS server? In Ubuntu 18.04 LTS, how do I set up public key authentication?

Introduction: OpenSSH is a free and open source client/server technology for secure remote login. It is an implementation of the SSH protocol. OpenSSH divided into sshd (server) and various client tools such as sftp, scp, ssh and more. One can do remote login with OpenSSH either using password or combination of private and public keys named as public key based authentication. It is an alternative security method for user passwords. This method is recommended on a VPS, cloud, dedicated or even home-based server or laptop. This page shows how to set up SSH keys on Ubuntu 18.04 LTS server.
Tutorial details
Difficulty level Easy
Root privileges No
Requirements Ubuntu 18.04
Est. reading time 5 minutes

Ubuntu 18.04 Setup SSH Public Key Authentication

The procedure to set up secure ssh keys on Ubuntu 18.04:

  1. Create the key pair using ssh-keygen command.
  2. Copy and install the public key using ssh-copy-id command.
  3. Add yourself to sudo admin account on Ubuntu 18.04 server.
  4. Disable the password login for root account on Ubuntu 18.04.

Sample set up for SSH Keys on Ubuntu 18.04

Ubuntu 18.04 Setup SSH Public Key Authentication

Fig.01: How to set up SSH keys on Ubuntu 18.04 (sample setup)


  • – You store your public key on the remote hosts and you have an accounts on this Ubuntu Linux 18.04 LTS server.
  • Linux/macbook laptop – Your private key stays on the desktop/laptop/computer (or local server) you use to connect to server. Do not share or give your private file to anyone.

In public key based method you can log into remote hosts and server, and transfer files to them, without using your account passwords. Feel free to replace and client names with your actual setup. Enough talk, let’s set up public key authentication on Ubuntu Linux 18.04 LTS.

How to create the RSA/ed25519 key pair on your local desktop/laptop

Open the Terminal and type following commands if .ssh directory does not exists:
$ mkdir -p $HOME/.ssh
$ chmod 0700 $HOME/.ssh

Next generate a key pair for the protocol, run:
$ ssh-keygen
$ ssh-keygen -t rsa 4096 -C "My key for Linode server"
These days ED25519 keys are favored over RSA keys when backward compatibility is not needed:
$ ssh-keygen -t ed25519 -C "My key for Linux server # 42"
Ubuntu 18.04 create the RSA or ed25519 key pair

How to install the public key in Ubuntu 18.04 remote server

The syntax is as follows:
ssh-copy-id your-user-name@your-ubuntu-server-name
ssh-copy-id -i ~/.ssh/file.pub your-user-name@your-ubuntu-server-name

For example:
## for RSA KEY ##
ssh-copy-id -i $HOME/.ssh/id_rsa.pub user@
## for ED25519 KEY ##
ssh-copy-id -i $HOME/.ssh/id_ed25519.pub user@
## install SSH KEY for root user ##
ssh-copy-id -i $HOME/.ssh/id_ed25519.pub root@

I am going to install ssh key for a user named vivek (type command on your laptop/desktop where you generated RSA/ed25519 keys):
$ ssh-copy-id -i ~/.ssh/id_ed25519.pub vivek@
Copy SSH Public Key to Ubuntu 18.04 LTS Server

Test it

Now try logging into the Ubuntu 18.04 LTS server, with ssh command from your client computer/laptop using ssh keys:
$ ssh your-user@your-server-name-here
$ ssh vivek@

Authenticate to Ubuntu 18.04 LTS Server Using SSH Keys

What are ssh-agent and ssh-add, and how do I use them on Ubuntu 18.04?

To get rid of a passphrase for the current session, add a passphrase to ssh-agent (see ssh-agent command for more info) and you will not be prompted for it when using ssh or scp/sftp/rsync to connect to hosts with your public key. The syntax is as follows:
$ eval $(ssh-agent)
Type the ssh-add command to prompt the user for a private key passphrase and adds it to the list maintained by ssh-agent command:
$ ssh-add
Enter your private key passphrase. Now try again to log into vivek@ and you will NOT be prompted for a password:
$ ssh vivek@

How to disable the password based login on a Ubuntu 18.04 server

Login to your server, type:
## client commands ##
$ eval $(ssh-agent)
$ ssh-add
$ ssh vivek@

Now login as root user:
$ sudo -i
$ su -i
Edit sshd_config file:
# vim /etc/ssh/sshd_config
# nano /etc/ssh/sshd_config
Find PermitRootLogin and set it as follows:
PermitRootLogin no
Save and close the file. I am going to add a user named vivek to sudoers group on Ubuntu 18.04 server so that we can run sysadmin tasks:
# adduser vivek sudo
Restart/reload the sshd service:
# systemctl reload ssh
You can exit from all session and test it as follows:
$ ssh vivek@
## become root on server for sysadmin task ##
$ sudo -i

How do I add or replace a passphrase for an existing private key?

To to change your SSH passphrase type the following command:
$ ssh-keygen -p

How do I backup my existing private/public SSH keys

Just copy files to your backup server or external USB pen/hard drive:

## Copy files to  home based nas server ##
rsync -avr $HOME/.ssh user@home.nas-server:/path/to/encrpted/nas/partition/
## Copy files to  usb pen drive mounted at /mnt/usb ##
cp -avr $HOME/.ssh/ /mnt/usb/backups/

How do I protect my ssh keys?

  1. Always use a strong passphrase.
  2. Do not share your private keys anywhere online or store in insecure cloud storage or gitlab/github servers.
  3. Restrict privileges of the account.

Tip: Create and setup an OpenSSH config file to create shortcuts for servers

See how to create and use an OpenSSH ssh_config file for more info.

How do I secure my OpenSSH server?

See “OpenSSH Server Best Security Practices” for more info.

Say hello to Keychain

Keychain is an OpenSSH key manager, typically run from ~/.bash_profile or any other shell startup file. When keychain is run, it checks for a running ssh-agent, otherwise it starts one. It saves the ssh-agent environment variables to ~/.keychain/\$\{HOSTNAME\}-sh, so that subsequent logins and non-interactive shells such as cron jobs can source the file and make passwordless ssh connections. In addition, when keychain runs, it verifies that the key files specified on the command-line are known to ssh-agent, otherwise it loads them, prompting you for a password if necessary. See how to install and use keychain on Ubuntu or Debian Linux.


You learned how to create and install ssh keys for SSH key-based authentication for Ubuntu Linux 18.04 LTS server. See OpenSSH server documents here and here for more info.

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

2 comments… add one
  • Carl Dec 16, 2020 @ 15:58

    Thanks for the clear and concise info! You made it very easy to find the commands I needed. Just one more bit of needed info – what is best practice for automatically adding the ssh key to the keyring so it survives a reboot? For both a single user and also for all users. I suspect that adding eval $(ssh-agent) and ssh-add to .profile and .bashrc would do the trick but I am unclear if that is the best practice. Thanks for any enlightenment.


Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.