T
ssh security linux devops sysadmin

The Ultimate Guide to SSH Key Management and Security

Master SSH key generation and management. Learn about SSH key generators, authorized_keys and known_hosts formats, and best practices for securing your servers.

2026-04-12

The Ultimate Guide to SSH Key Management and Security

Secure Shell (SSH) is the standard protocol for managing Linux servers. While passwords can be used, SSH keys provide a significantly more secure and convenient alternative. However, managing these keys correctly—from generation to rotation—is critical for maintaining a robust security posture.

This guide covers everything you need to know about SSH keys, from basic generation to advanced management strategies.

1. Generating Secure Keys

The first step in SSH security is choosing the right algorithm and generating a strong key pair.

SSH Key Generator Online

While an SSH key generator online is convenient for testing or quickly creating a key pair, you should never use a web-based tool for production keys. Always generate your private keys locally on your machine to ensure that they are never transmitted over the network.

Ssh-keygen Command Builder

The standard tool for generating keys is ssh-keygen. An ssh-keygen command builder can help you choose the best parameters. Today, you should favor Ed25519 over the older RSA.

Recommended command for a modern, secure key:

ssh-keygen -t ed25519 -C "[email protected]"

If you must use RSA for compatibility with older systems, ensure it is at least 4096 bits:

ssh-keygen -t rsa -b 4096

2. Managing Access: Authorized_keys Format

The authorized_keys file, typically located in ~/.ssh/, determines which public keys are allowed to log in as a specific user.

Authorized_keys Format

A single entry in the authorized_keys format consists of three parts:

  1. Options (Optional): Restrict what the key can do (e.g., from="1.2.3.4", no-agent-forwarding).
  2. Key Type: The algorithm (e.g., ssh-ed25519 or ssh-rsa).
  3. Public Key Data: The actual base64-encoded key.
  4. Comment (Optional): A label to identify the key (usually an email or hostname).

Example with a restriction:

from="192.168.1.0/24" ssh-ed25519 AAAAC3Nza... [email protected]

3. Verifying Servers: Known_hosts Format

While authorized_keys is for client authentication, the known_hosts file is for server authentication. It protects you from Man-in-the-Middle (MITM) attacks.

Known_hosts Format

The known_hosts format maps a server's hostname or IP address to its public host key. When you first connect to a server, SSH asks you to verify the host's fingerprint. Once accepted, the key is added to ~/.ssh/known_hosts. If the server's key ever changes, SSH will warn you and block the connection.

Format of an entry:

[hostname],[IP] ssh-ed25519 AAAAC3Nza...

4. Best Practices for SSH Security

  • Use a Passphrase: Always protect your private key with a strong passphrase. Even if your key is stolen, it will be useless without the passphrase.
  • Disable Password Authentication: Once you have SSH keys working, disable password logins in /etc/ssh/sshd_config by setting PasswordAuthentication no.
  • Rotate Keys Regularly: Like passwords, SSH keys should be changed periodically, especially when employees leave the company.
  • Use SSH Agent: Use ssh-agent to store your decrypted keys in memory, so you don't have to type your passphrase for every connection.
  • Implement a Jump Server (Bastion Host): Instead of exposing all your servers to the public internet, use a single, hardened entry point.

5. Summary

By mastering SSH key generators and understanding the authorized_keys and known_hosts formats, you can significantly reduce the risk of unauthorized access to your infrastructure. Moving beyond passwords to key-based authentication is the single most important step in securing any Linux-based environment.

Back to Blog