How to Set Up SSH Key-Based Authentication on RHEL 8

December 4, 2025
Linux
Comment off

Password-based SSH authentication is vulnerable to brute-force attacks and credential stuffing. SSH key-based authentication replaces passwords with a cryptographic key pair: a private key that stays on your local machine and a public key placed on the server. Even if an attacker discovers your server’s IP and SSH port, they cannot log in without the corresponding private key. This guide walks through generating a modern Ed25519 key pair, deploying the public key to a RHEL 8 server, tightening sshd configuration to disable password login, managing multiple keys in authorized_keys, and using a local ~/.ssh/config file to create convenient SSH aliases.

Prerequisites

A RHEL 8 server with a non-root sudo user and SSH access (see the Initial Server Setup guide)
A local workstation running Linux, macOS, or Windows with OpenSSH installed
Ability to run commands on both the local workstation and the remote server

Step 1 — Generate an Ed25519 Key Pair

Run the following on your local workstation, not the server. Ed25519 keys are smaller and faster than RSA while offering equivalent or better security. The -C flag adds a comment to help you identify the key later.

ssh-keygen -t ed25519 -C "[email protected]"

You will be prompted for a save location (accept the default ~/.ssh/id_ed25519) and an optional passphrase. A passphrase encrypts the private key on disk — use one for any key that accesses production servers. The command produces two files:

# Private key (never share this)
~/.ssh/id_ed25519

# Public key (safe to distribute)
~/.ssh/id_ed25519.pub

Step 2 — Copy the Public Key to the Server

The easiest method is ssh-copy-id, which appends the public key to ~/.ssh/authorized_keys on the server and sets correct permissions automatically. Run this on your local workstation.

ssh-copy-id -i ~/.ssh/id_ed25519.pub username@server_ip

If ssh-copy-id is unavailable, copy the key manually:

# On the server, create the .ssh directory and authorized_keys file
mkdir -p ~/.ssh
chmod 700 ~/.ssh
echo "paste_your_public_key_here" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Step 3 — Verify Key-Based Login Before Disabling Passwords

Test the key login from your workstation before disabling password authentication. If something is misconfigured you will still be able to log in with your password to fix it.

ssh -i ~/.ssh/id_ed25519 username@server_ip

A successful connection that does not prompt for a password (or only asks for your key passphrase) confirms the key is working.

Step 4 — Harden sshd_config

With key login confirmed, open /etc/ssh/sshd_config on the server and ensure the following directives are set. These lines disable password authentication and ensure public key auth is explicitly enabled.

# Enable public key authentication (already the default, but make it explicit)
sed -i 's/^#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config

# Disable password authentication
sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config

# Verify both settings
grep -E 'PubkeyAuthentication|PasswordAuthentication' /etc/ssh/sshd_config

# Restart SSH to apply changes
systemctl restart sshd

Step 5 — Add Multiple Keys

You can authorize multiple public keys — for example, your desktop and your laptop — by appending each key on its own line in ~/.ssh/authorized_keys on the server.

# On the server, append a second key
echo "ssh-ed25519 AAAA...secondkey== [email protected]" >> ~/.ssh/authorized_keys

# Each line is one key; verify the file
cat ~/.ssh/authorized_keys

To revoke a key, delete the corresponding line from authorized_keys.

Step 6 — Create a Local SSH Config File for Aliases

A ~/.ssh/config file on your workstation lets you create short aliases for hosts, specify which key to use per host, and set other per-connection options. This eliminates the need to remember IP addresses and key paths.

# ~/.ssh/config

Host myserver
    HostName 203.0.113.10
    User username
    IdentityFile ~/.ssh/id_ed25519
    Port 22

Host staging
    HostName 203.0.113.20
    User deploy
    IdentityFile ~/.ssh/id_ed25519_staging
    Port 2222

Set the correct permissions on the config file, then connect using the alias:

chmod 600 ~/.ssh/config
ssh myserver

Conclusion

Your RHEL 8 server now accepts only SSH key-based authentication. You generated an Ed25519 key pair, deployed the public key with ssh-copy-id, disabled password login in sshd_config, and configured a local ~/.ssh/config for convenient host aliases. Combined with a strong key passphrase and the wheel group for privilege escalation, your server is significantly harder to compromise through SSH.

Next steps: How to Configure Fail2Ban to Protect SSH on RHEL 8, How to Configure the Firewall on RHEL 8, and Initial Server Setup with RHEL 8.