Generating ed25519 SSH Keys
On a computer (Windows / Mac / Linux) that is not connected to the server via SSH (if it is, log out), in the command line or terminal, enter the command:
ssh-keygen -t ed25519 -C "your_email_address@example.com, PC name"- the
-tparameter defines the key type ed25519 - the optional
-Cparameter adds a comment linking the key to a specific user and computer.
Confirm/determine the new path and file name (so you can easily recognize them) where the keys will be stored and in the next step create, enter, and confirm by re-entering a security phrase, which will act as the actual password for the private SSH key. Be aware that if you forget the security phrase, it cannot be recovered.
Two SSH keys are generated in the folder specified in the previous step.
- the
Finding the Public Key
The public SSH key is a file with the ".pub" extension. Its contents can be accessed by opening it via the Command Line / Terminal.
On Windowstype %USERPROFILE%\.ssh\file_name.pubOn Mac / Linuxcat ~/.ssh/file_name.pubThe public key starts with the type "ssh-ed25519 AAAAC..."
-
Remotely Log into the Server Using Username and Password
- Connect the computer (from which we are remotely connecting) and the server (to which we are connecting) to the same local network (same router).
- Remotely connect to the server
On Windows
- Start the Putty client installed on the computer, go to the "Sessions" tab.
- Enter the "Host" field indicating the server's IP address (found in the router) and the port through which we connect to the server (default is
22- we will disable it in later steps, but use it now). - In the opened command line window, enter the username and password for connecting to the server (defined during server installation).
On Mac / Linux- Start the terminal.
- In the terminal, enter the ssh command linking to the specific user, server IP, and port:
ssh username@server_ip -p 22Note: The
sshcommand works with default key-based authentication. If it is not specified in thesshcommand, the computer tries all known hosts. If there are manyknown hostsservers on the computer from which we are logging in, we might exceed the maximum number of attempts and get a denial from the server with the notification "Too many authentication failures" because none of the used keys was valid for our server. The fix is simple, clearly specify the authentication method, in this case, a password.ssh -o IdentitiesOnly=yes -o PreferredAuthentications=password username@server_ip -p 22 - Enter the password to connect to the server (defined during server installation).
Uploading the Public Key to the Server
- On the server, create a folder for storing public SSH keys with the command
mkdir -p ~/.ssh. - Open the authorized_keys file with the command
nano ~/.ssh/authorized_keysand insert the public key found in step 1. (insert the entire line starting with ssh-ed25519 ...) - Save and close the "authorized_keys" file by pressing ctrl+x.
- End the connection to the server with the command
exit.
- On the server, create a folder for storing public SSH keys with the command
Remote Login to the Server Using a Private SSH Key
On WindowsIf using Windows OS and the Putty client, the format of the private key generated in step 1 (file without extension) is not supported by the Putty client. It is therefore necessary to convert it, as follows:
- Display the private key with the command
type %USERPROFILE%\.ssh\file_nameand copy it exactly as it is, including "-----BEGIN OPENSSH PRIVATE KEY-----" and "-----END OPENSSH PRIVATE KEY-----" into a .txt file, which we save. - Download the program "puttygen.exe (a RSA and DSA key generation utility)" from the official Putty website.
- Open the downloaded "PuTTY Key Generator", at the bottom select the type "EdDSA" → (Ed25519). At the top bar, choose "File → Load private key". Switch to displaying "All Files (*.*)" and select the .txt file in which we saved the private key. Enter the passphrase, which was defined during the key creation. If everything goes through, we receive the notification "Successfully imported foreign key...".
- Press the "Save private key" button and save the private SSH key in a Putty-supported .ppk format again into the .ssh folder. If anything is unclear, the procedure with screenshots can be found here.
- Open Putty client, go to "Connections → SSH → Auth → Credentials" and in the "Private key file for authentization" field select "Browse" and choose the .ppk file saved in the previous step.
- Go to the "Session" section, fill in the "Host" and "Port" fields, and after pressing the "Open" button, in the newly opened command window, enter the username (login as:), at which point instead of a password request, we should see the identification of the public key, within which we are connecting with a request to insert the passphrase.
- Enter the passphrase and log in.
On Mac / Linuxssh username@server_ip -p 22 -i ~/.ssh/private_key- Display the private key with the command
SSHD configuration
SSH login settings for the entire system and individual users can be configured in the /etc/ssh/sshd_config file. It can be opened with the following command:
sudo nano /etc/ssh/sshd_configSince the file is opened with sudo and with write permissions, your user password (the password you use to log into the server) may be required to open it.
The file /etc/ssh/sshd_config contains definitions according to the needs of SSH logging, as below. Although the change itself does not lead to automatic logout, for security reasons, it is advisable to be connected to the server in 2 instances (2 windows), so that in case of a test logout in one and inability to log in again, you still have the possibility to revert the changes from the second window.
- If you have not opened the file
/etc/ssh/sshd_config, open it with the commandsudo nano /etc/ssh/sshd_config - Find the record
#AuthorizedKeysFileand uncomment it by removing#from its start - Find the record
KbdInteractiveAuthenticationand set it tono. Make sure it is not commented out (does not start with #) - Find the record
PasswordAuthentication yesand change it tono. Make sure it is not commented out (does not start with #) - Ensure the record
PermitRootLoginhas the valueprohibit-password(PermitRootLogin prohibit-password) - Exit the file with the command ctrl+x and save upon exiting.
Enter the command
sudo sshd -T | grep -i passwordauthenticationand verify that it outputs "passwordauthentication no".In this setting, it is possible to access the server using both username + private key, and traditionally username + password. If we want the option only using a private key, at the end of the file
/etc/ssh/sshd_configit is necessary to defineAuthenticationMethods publickey.- Restart the SSH server
- On Ubuntu 24.04
sudo systemctl restart ssh - On Ubuntu 22.04
sudo systemctl restart sshd sudo systemctl restart ssh
- On Ubuntu 24.04
- Log out with the command
logout. - When re-logging without a public key after entering your username, you should receive an error message "No supported authentication methods available (server sent: publickey)". When using a private key, the login should be successful.
- Note: Login using username and password is still possible locally - via a keyboard connected to the server
- If you have not opened the file
/etc/ssh/sshd_config, open it with the commandsudo nano /etc/ssh/sshd_config - At the end of the file, insert the following definition:
Match User <specificUserName> ChallengeResponseAuthentication yes AuthenticationMethods keyboard-interactiveThis directive overrides the following global settings for user
<specificUserName>:PasswordAuthentication notoyesAuthenticationMethodstokeyboard-interactive(password+ Google 2FA)
- Exit the file with the command ctrl+x and save upon exiting.
- Restart the SSH server
- On Ubuntu 24.04
sudo systemctl restart ssh - On Ubuntu 22.04
sudo systemctl restart sshd sudo systemctl restart ssh
- On Ubuntu 24.04
Check authentication log
If you face any issue with login any user over SSH, check the authentication log.
sudo tail -f /var/log/auth.log