RSA Keys for SSH Authentication

RSA Keys for SSH Authentication

SSH (Secure Shell) is one of the most common uses for RSA key pairs. Public key authentication replaces password-based login with a more secure and convenient mechanism.

How SSH Key Authentication Works

1. You generate an RSA key pair on your local machine
2. The public key is placed on the remote server (~/.ssh/authorized_keys)
3. During connection, the server challenges your client to prove it holds the private key
4. The client signs the challenge with the private key; the server verifies with the public key
5. No password is transmitted over the network

Generating SSH RSA Keys

# Generate a 4096-bit RSA key pair for SSH
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

# This creates:
#   ~/.ssh/id_rsa       (private key)
#   ~/.ssh/id_rsa.pub   (public key)

Key Configuration

# Copy public key to remote server
ssh-copy-id -i ~/.ssh/id_rsa.pub user@server.example.com

# Or manually append to authorized_keys
cat ~/.ssh/id_rsa.pub | ssh user@server "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

SSH Config for Multiple Keys

# ~/.ssh/config
Host production
    HostName prod.example.com
    User deploy
    IdentityFile ~/.ssh/id_rsa_prod
    IdentitiesOnly yes

Host github.com
    HostName github.com
    User git
    IdentityFile ~/.ssh/id_rsa_github

Security Best Practices

• Use a passphrase — protects the private key if the file is compromised
• Use ssh-agent — avoids retyping the passphrase for every connection
• Set file permissions — chmod 700 ~/.ssh and chmod 600 ~/.ssh/id_rsa
• Disable password auth — once keys are set up, disable PasswordAuthentication in sshd_config
• Rotate keys periodically — replace old keys and remove unused entries from authorized_keys

RSA vs Ed25519 for SSH

While Ed25519 is increasingly preferred for SSH (smaller keys, faster operations), RSA-4096 remains widely supported and is required by some legacy systems and compliance frameworks.