This is a translation of my German article.

SSH is a secure way to connect to a remote system, e.g. for administration or remote working. The communication between these two workstations is encrypted, so an enemy is not able to intercept/spy on the transferred data.

Although the password that is sent to access the other system is encrypted, it’s still possible to brute force it. To decrease this risk one can turn off password authentication and just allow the authentication via SSH keys, so that the access is only possible for people that have a specific private keys. It is much harder to guess such a private key than guessing a password.

To create such a key pair, containing a private and a public key, just run ssh-keygen -t rsa -b 4096 in your terminal. This command will create an RSA-key width 4096 bits (the more bits the harder to guess the key). The output may look like this:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Created directory '/home/user/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/
The key fingerprint is:
16:59:cb:9f:55:b1:39:ee:b3:72:14:19:13:5c:60:4d user@abakus
The key's randomart image is:
+--[ RSA 4096]----+
|            . +*E|
|         + . . =+|
|          o o .++|
|     .  .    o.o.|
|           S o ..|
|         . ..    |
|        .o       |
|       .       .o|
|        o.       |

Congratulations, your are now owner of a 4096 bit SSH-key! It is not necessary to assign a passphrase, so you can connect to the server without any password. But if anyone can get access to your private key he is also able to connect to any server that knows your public key! So it is very insecure and I recommend using a passphrase. For more options see man ssh-keygen.

If you now take a look in your $HOME/.ssh/ directory you’ll find two keys, a public key named and a private key id_rsa. This private key is just for you, don’t share it with anyone!

To publish the public key, you can use the ssh-copy-id tool:

user@abakus ~ $ ssh-copy-id user@
The authenticity of host ' (' can't be established.
RSA key fingerprint is 34:cd:e7:95:48:75:d4:16:86:84:19:f0:b4:d3:2c:ad.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (RSA) to the list of known hosts.
user@'s password:
Now try logging into the machine, with "ssh 'user@'", and check in:


to make sure we haven't added extra keys that you weren't expecting.

All that it does is appending the contents of your public key to the $HOME/.ssh/authorized_keys file of the user on the remote system (here remote is If you don’t have the ssh-copy-id tool, you can do it manually but copying the contents of to the authorized_keys file of the remote user..

At the next login I don’t have to provide the password to the remote account, I only need the passphrase for the private key:

user@abakus ~ $ ssh user@
Enter passphrase for key '/home/user/.ssh/id_rsa':
Linux siduxbox 2.6.30-4.slh.1-sidux-amd64 #1 SMP PREEMPT Sun Aug 2 09:58:18 UTC 2009 x86_64
Last login: Wed Aug 19 12:12:18 2009 from
user@siduxbox ~ $

If you didn’t supply a passphrase for the key you’ll never get asked for one.

Last but not least we can disable the password authentication with the following settings in /etc/ssh/sshd_config :

PasswordAuthentication no
UsePAM no

From now on, only people that have private keys, compatible to those public keys stored in $HOME/.ssh/authorized_keys on the server, can access the remote machine.

Martin Scharm

stuff. just for the records.

Do you like this page?
You can actively support me!

1 comment

zeon | Permalink |

hi im following the native ssh server tutorial that youve made and im on the step of creating the keys. im using lineage os 11 on an galaxy s4 GT-I9515.

i cannot find a “$home” path on the s4 or a file structure that comes close to the old fashioned linux like to where i can copy the ssh keys that i created in a makeshift folder in the root filesystem. there seem to be “user” folders in /data/user and /data/user_de labeled by numbers with a bunch of “” folders in them which seem to be only apps and no direct user create files such as “test” folders that ive created in one of the lineage users.

more so, i am also not able to copy the the keys to my windows machine with adb pull as the keys dont show up in any directory that i give it.

would you be willing to help out a soon-to-be IT hobbyist? :)

Leave a comment

There are multiple options to leave a comment: