SSH Key Setup Script

sshsecuritykeys
4 min read

Quick Answer

SSH key authentication replaces password login with a cryptographic key pair. The private key stays on your machine; the public key goes to the server. The ssh-keygen command generates both: ssh-keygen -t ed25519 -C "your@email.com" creates an Ed25519 key pair, the recommended type in 2026 because it is faster and more secure than RSA 2048. The -N "" flag skips the passphrase prompt for non-interactive generation. Once generated, ssh-copy-id user@server-ip appends your public key to ~/.ssh/authorized_keys on the remote host, enabling passwordless login. The .ssh directory must be chmod 700, the private key must be chmod 600, and the public key must be chmod 644 — SSH refuses to use keys with looser permissions as a security measure. Without key-based auth, every login requires a password that can be brute-forced or leaked. Works on Ubuntu 22.04 LTS, Debian 12, Fedora 39, CentOS 9, and macOS Ventura — ssh-keygen and ssh-copy-id are pre-installed on all of them.

The Script

Save as ssh-key-setup.sh. Leave REMOTE_USER empty to only generate and display keys; set it to you@203.0.113.10 (for example) to run ssh-copy-id automatically after generation.

bash
#!/bin/bash CHECK="✓" CROSS="✗" # --- Configuration --- KEY_TYPE="ed25519" # Recommended: ed25519 (modern) or rsa (legacy) KEY_BITS="4096" # Only used for RSA keys KEY_COMMENT="$(whoami)@$(hostname)-$(date '+%Y%m%d')" KEY_FILE="$HOME/.ssh/id_${KEY_TYPE}" REMOTE_USER="" # Set to: user@server-ip to auto-copy key # Leave empty to skip remote copy echo "SSH Key Setup Script" echo "====================" # --- Create .ssh directory with correct permissions --- mkdir -p "$HOME/.ssh" chmod 700 "$HOME/.ssh" echo "$CHECK .ssh directory ready (chmod 700)" # --- Check if key already exists --- if [ -f "$KEY_FILE" ]; then echo "$CROSS Key already exists at $KEY_FILE" echo " Delete it first if you want a new key: rm $KEY_FILE ${KEY_FILE}.pub" exit 0 fi # --- Generate the key --- echo "Generating ${KEY_TYPE} key..." if ssh-keygen -t "$KEY_TYPE" -C "$KEY_COMMENT" -f "$KEY_FILE" -N ""; then echo "$CHECK Key generated: $KEY_FILE" chmod 600 "$KEY_FILE" chmod 644 "${KEY_FILE}.pub" echo "$CHECK Permissions set (private: 600, public: 644)" else echo "$CROSS Key generation failed" exit 1 fi # --- Display public key --- echo "" echo "Your public key (copy this to your server or DigitalOcean):" echo "-----------------------------------------------------------" cat "${KEY_FILE}.pub" echo "-----------------------------------------------------------" # --- Optional: copy to remote server --- if [ -n "$REMOTE_USER" ]; then echo "Copying public key to $REMOTE_USER..." if ssh-copy-id -i "${KEY_FILE}.pub" "$REMOTE_USER"; then echo "$CHECK Key copied to $REMOTE_USER" echo "$CHECK Test with: ssh $REMOTE_USER" else echo "$CROSS Copy failed — check that $REMOTE_USER is reachable" fi fi echo "" echo "Done. Connect with: ssh -i $KEY_FILE user@your-server"

Adding this key to DigitalOcean

Copy the public key output above → DigitalOcean Control Panel → Settings → Security → SSH Keys → Add SSH Key. Next time you create a Droplet, select this key and you'll connect without a password.

Step-by-Step Setup

Step 1 — Save the script

bash
nano ssh-key-setup.sh

Paste the script above, then press Ctrl+X → Y → Enter to save.

Step 2 — Choose your setup mode

The script has two modes controlled by the REMOTE_USER variable at the top:

GoalWhat to set
Generate a key locally onlyLeave REMOTE_USER="" empty
Generate and copy to a serverSet REMOTE_USER="user@server-ip" — e.g. root@203.0.113.10

For local-only key generation, no server is needed. To deploy to a server automatically, set REMOTE_USER before running.

Step 3 — Make it executable and run it

bash
chmod +x ssh-key-setup.sh ./ssh-key-setup.sh

A successful run shows:

text
SSH Key Setup Script ==================== ✓ .ssh directory ready (chmod 700) Generating ed25519 key... ✓ Key generated: /home/user/.ssh/id_ed25519 ✓ Permissions set (private: 600, public: 644) Your public key (copy this to your server or DigitalOcean): ----------------------------------------------------------- ssh-ed25519 AAAA...your-key...== user@hostname-20260603 -----------------------------------------------------------

Step 4 — Test the connection

If you set REMOTE_USER and the copy succeeded:

bash
ssh user@server-ip

You should connect without being prompted for a password. If it asks for a password, the key copy did not work — check that ~/.ssh/authorized_keys exists on the remote server and contains your public key.

Step 5 — Disable password login on the server (recommended)

Once key-based login works, remove the password attack surface entirely. On the remote server:

bash
sudo nano /etc/ssh/sshd_config

Set these two lines:

text
PasswordAuthentication no PubkeyAuthentication yes

Restart SSH to apply:

bash
sudo systemctl restart sshd

Test your key login in a second terminal before closing the current session — if anything is wrong you still have an open connection to fix it.

Test in a second terminal before closing

Always verify key-based login works in a new terminal before disabling password auth. If your key is not working and you close your current session, you are locked out.

How It Works

mkdir -p "$HOME/.ssh" creates the SSH config directory if it is missing; -p avoids errors when the path already exists and creates parent directories when needed.

chmod 700 ~/.ssh means only your user can read, write, or enter that folder — SSH expects a locked-down home for keys. chmod 600 on the private key restricts read/write to you alone; chmod 644 on .pub lets you share or paste the public half safely while keeping it world-readable (normal for public keys).

ssh-keygen ... -N "" sets an empty passphrase so generation is non-interactive; remove -N "" (or use -N with a quoted passphrase) when you want the key protected at rest.

ssh-copy-id -i "${KEY_FILE}.pub" "$REMOTE_USER" logs into the remote host (you'll need password auth or another working key the first time), appends your public key to ~/.ssh/authorized_keys, and fixes remote permissions so passwordless login works on the next ssh.

Variations

1. Generate RSA 4096 key

Set KEY_TYPE="rsa" at the top of the script. For RSA, pass bit length to ssh-keygen with -b "$KEY_BITS" (your script already defines KEY_BITS=4096 for that case).

2. Key with passphrase

Remove -N "" from the ssh-keygen line so the tool prompts for a passphrase interactively, or supply one with -N 'your-secure-passphrase' if you are scripting in a secure environment.

3. Multiple servers

Replace the single REMOTE_USER string with a bash array and loop:

bash
REMOTE_USERS=("alice@10.0.0.1" "alice@10.0.0.2") for u in "${REMOTE_USERS[@]}"; do ssh-copy-id -i "${KEY_FILE}.pub" "$u" done

Frequently Asked Questions

How do I generate an SSH key in Linux?

Run: ssh-keygen -t ed25519 -C 'your@email.com' — Ed25519 is the recommended key type in 2026. Press Enter to accept defaults or set a passphrase for extra security.

How do I copy my SSH key to a remote server?

Use: ssh-copy-id user@server-ip — this copies your public key to ~/.ssh/authorized_keys on the remote server.

What permissions should SSH keys have?

Your private key (~/.ssh/id_ed25519) must be 600. Your .ssh directory must be 700. Wrong permissions will cause SSH to refuse the key.

What is the difference between RSA and Ed25519 SSH keys?

Ed25519 is newer, faster, and more secure than RSA 2048. Use Ed25519 for new keys in 2026. RSA 4096 is acceptable if Ed25519 isn't supported.

How do I add an SSH key to a DigitalOcean Droplet?

Generate your key with ssh-keygen, copy the public key content from ~/.ssh/id_ed25519.pub, then paste it in the DigitalOcean control panel under Settings → Security → SSH Keys before creating a Droplet.

BashSnippets logo

Written by Anguishe

Creator of BashSnippets.xyz

bashsnippets.xyz/about

Run this script on a real Linux server

Get $200 free credit — DigitalOcean

Get $200 Free →

Affiliate link · we earn a commission

Need a domain for your next project?

Register with Namecheap — free WHOIS privacy included

Check Domain Prices →

Affiliate link · we earn a commission

Related Snippets

Delete Old Log Files

Use find and mtime to automatically delete log files older than N days. Prevent disk bloat.

Bash Error Handling with set -euo pipefail

Proper bash error handling using set -euo pipefail — stop scripts on errors, catch undefined variables, handle pipes.

Kill a Process with pkill and pgrep

Use pkill, pgrep, and kill to find and stop processes by name, PID, or pattern.

Frequently Asked Questions

How do I run this script?

Save as ssh-setup.sh, run chmod +x ssh-setup.sh, then execute ./ssh-setup.sh with your server IP and username.

Does this work on macOS?

Yes. ssh-keygen and ssh-copy-id are pre-installed on macOS. Ed25519 keys work on all modern SSH servers.

How do I generate an SSH key in Linux?

Run ssh-keygen -t ed25519 -C "your@email.com". Use -N "" for non-interactive generation in scripts.

What permissions should SSH keys have?

chmod 700 ~/.ssh, chmod 600 private key, chmod 644 public key. SSH refuses keys with looser permissions.

← All Snippets↑ Back to top