SSH Key Authentication

SSH keys are a more secure and more convenient alternative to password-based login. Instead of typing a password every time you connect, your device proves its identity using a cryptographic key pair. This guide covers why you should use keys, how to generate them, and how to set them up in RemoteConsoleSSH.

Why Use SSH Keys?

Password authentication has several weaknesses that keys solve:

No brute-force risk -- Passwords can be guessed. SSH keys are cryptographic secrets that are effectively impossible to brute-force. An ed25519 key has roughly 2^256 possible values -- no attacker is guessing that.
No password to transmit -- With keys, your secret (the private key) never leaves your device. The server verifies your identity through a cryptographic challenge-response, so there is nothing to intercept.
Convenience -- Once set up, you connect without typing anything. No passwords to remember or mistype.
Per-device control -- Each device has its own key pair. If you lose a device, you revoke that one key without changing passwords everywhere.

💡

Tip

If your SSH server is exposed to the internet (not behind Tailscale), switching to key-only authentication and disabling password login is one of the most important security steps you can take.

Key Types

There are two key types you will encounter:

Type	Algorithm	Key Size	Recommendation
ed25519	EdDSA (Curve25519)	256-bit	Recommended -- modern, fast, small keys
RSA	RSA	2048-4096 bit	Legacy -- widely supported, larger keys

ed25519 is the modern standard. It generates smaller keys, signs faster, and is considered more secure than RSA at equivalent security levels. Use ed25519 unless you have a specific reason to need RSA (e.g., connecting to a very old server that does not support it).

Generate a Key Pair

Generate the Key

Open Terminal and run:

ssh-keygen -t ed25519 -C "your-email@example.com"

You will be prompted for:

File location -- Press Enter to accept the default (~/.ssh/id_ed25519).
Passphrase -- Optional but recommended. A passphrase encrypts your private key on disk, so even if someone gets access to the file, they cannot use it without the passphrase. On macOS, the Keychain can remember this for you.

This creates two files:

~/.ssh/id_ed25519 -- Your private key. Never share this file.
~/.ssh/id_ed25519.pub -- Your public key. This goes on the server.

Add to SSH Agent (Optional)

If you set a passphrase, add the key to the macOS SSH agent so you do not have to type the passphrase every time:

eval "$(ssh-agent -s)"
ssh-add --apple-use-keychain ~/.ssh/id_ed25519

The --apple-use-keychain flag stores the passphrase in macOS Keychain so it persists across reboots.

Copy Your Public Key to the Server

The public key needs to be added to the ~/.ssh/authorized_keys file on the machine you want to connect to. There are several ways to do this.

Method 1: ssh-copy-id (macOS and Linux)

The easiest method. Run this from the machine where you generated the key:

ssh-copy-id username@hostname

Replace username and hostname with your credentials. For example:

ssh-copy-id john@my-macbook.local
ssh-copy-id john@100.64.0.1

You will be prompted for your password one last time. After this, future connections will use key authentication.

Method 2: Manual Copy (All Platforms)

If ssh-copy-id is not available (e.g., on Windows), you can copy the key manually:

cat ~/.ssh/id_ed25519.pub | ssh username@hostname "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

On Windows PowerShell, use:

type $env:USERPROFILE\.ssh\id_ed25519.pub | ssh username@hostname "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

Method 3: Copy and Paste

If the above methods do not work, you can manually copy the contents of your public key:

Display the public key:
```
cat ~/.ssh/id_ed25519.pub
```
Copy the entire output (it starts with ssh-ed25519 and ends with your email).
SSH into the server with your password.

Open (or create) the authorized keys file:

mkdir -p ~/.ssh && nano ~/.ssh/authorized_keys

Paste the public key on a new line, save, and exit.

Set the correct permissions:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Test the Key

After copying the key, verify that it works:

ssh username@hostname

You should be logged in without being prompted for a password (unless you set a passphrase on the key, in which case your SSH agent or keychain handles it).

Using SSH Keys in RemoteConsoleSSH

When adding or editing a connection in RemoteConsoleSSH, you can configure key-based authentication:

Open connection settings

Tap the + button to add a new connection, or tap an existing connection to edit it.

Select authentication method

Under the authentication section, choose SSH Key instead of Password.

Provide your private key

You have two options:

Paste the key: Copy the contents of your private key file (~/.ssh/id_ed25519) and paste it into the key field. On your computer, you can view the key with cat ~/.ssh/id_ed25519.
Import from file: On iOS and Android, you can import the private key file directly from your device's file system.

Enter the passphrase (if applicable)

If your private key is protected with a passphrase, enter it in the passphrase field. RemoteConsoleSSH stores this securely in the platform keychain.

Save and connect

Save the connection and tap to connect. Authentication should happen automatically using your key.

⚠️

Warning

Your private key is a secret. Treat it like a password. When pasting it into RemoteConsoleSSH, the app stores it in the platform's secure keychain (Keychain on iOS, EncryptedSharedPreferences on Android). Never send your private key over email, messaging apps, or unencrypted channels.

Troubleshooting

If key authentication is not working, the most common cause is incorrect file permissions. SSH is strict about this -- if the permissions are too open, it silently falls back to password authentication.

Required Permissions

On the server (the machine you are connecting to), check these permissions:

# Your home directory must not be writable by others
chmod 755 ~
 
# The .ssh directory
chmod 700 ~/.ssh
 
# The authorized_keys file
chmod 600 ~/.ssh/authorized_keys
 
# Your private key (on the machine where you generated it)
chmod 600 ~/.ssh/id_ed25519

Debugging the Connection

If it still does not work, connect with verbose output to see what is happening:

ssh -v username@hostname

Look for lines like:

Offering public key: /Users/you/.ssh/id_ed25519 -- The client is trying the key.
Server accepts key -- The key was accepted.
Authentication succeeded -- You are in.

If you see Permission denied (publickey), the server rejected the key. Double-check that the public key is in ~/.ssh/authorized_keys on the server and that permissions are correct.

ℹ️

Info

If you are using Tailscale SSH (tailscale up --ssh), you do not need SSH keys at all. Tailscale handles authentication using your tailnet identity. SSH keys are only needed for traditional SSH authentication.

Next Steps

Install tmux for persistent terminal sessions that survive disconnections.
Set up network access with Tailscale if you have not already.
Return to the Getting Started guide to install RemoteConsoleSSH on your device.