// Security Guide

SSH Key Login on Ubuntu

Ditch password logins for good. Generate a key pair with PuTTYgen on Windows, install the public key on your Ubuntu VPS, and optionally lock the door on password authentication entirely.

Windows + PuTTY
Ubuntu 22 LTS
RSA / ED25519
Passwordless Login

// Table of Contents

  1. 01Generate an SSH Key Pair with PuTTYgen
  2. 02Save & Store Your Keys Securely
  3. 03Copy Your Public Key to the VPS
  4. 04Configure PuTTY to Use Your Private Key
  5. 05Test Key-Based Login
  6. 06Disable Password Authentication (Recommended)
  7. 07Remove the sudo Password Prompt (Optional)
STEP 01

Generate an SSH Key Pair with PuTTYgen

PuTTYgen is a key generator included with the PuTTY suite. If you don't have it yet, download it from putty.org — grab the full MSI installer so you get PuTTY, PuTTYgen, and Pageant in one shot.

  1. Launch PuTTYgen (search the Start menu for it).
  2. Under Type of key to generate, select EdDSA and keep the curve at Ed25519. It's faster and more secure than the older RSA option. If your server or tooling requires RSA, select RSA and set the key size to 4096 bits.
  3. Click Generate, then move your mouse randomly around the blank area — this creates the randomness used to generate the key.
  4. (Recommended) Enter a passphrase in the Key passphrase fields. This encrypts your private key on disk so it's useless to anyone who steals the file.
💡 Ed25519 vs RSAEd25519 keys are shorter, faster, and considered more secure than RSA-2048. Use Ed25519 unless you're connecting to an older system that doesn't support it.
STEP 02

Save & Store Your Keys Securely

After generating, you'll save two things: the private key (stays on your Windows machine) and you'll copy the public key text (goes on the server). Don't mix them up.

  1. Click Save private key. Save it as something like id_ed25519.ppk. PuTTY uses the .ppk format.
  2. Save it to C:\Users\YourUsername\.ssh\ — create the .ssh folder if it doesn't exist. This is the conventional location.
  3. In the PuTTYgen window, find the box labelled "Public key for pasting into OpenSSH authorized_keys file". Select all of that text and copy it to your clipboard — you'll need it in Step 3.
🔒 Keep your private key privateNever share your .ppk file, upload it anywhere, or put it in a synced folder (Dropbox, OneDrive, etc.). The public key is the one that goes on servers — it's safe to share freely.
STEP 03

Copy Your Public Key to the VPS

The server needs to know your public key before it will trust your private key for login. You'll add it to a special file called authorized_keys in your home directory. First, log in to your VPS the old-fashioned way (password) one last time.

Once logged in, run the following commands. The first two create the ~/.ssh directory if it doesn't exist and set correct permissions. The third line is where you paste your public key.

Terminal — Ubuntu VPS
mkdir -p ~/.ssh chmod 700 ~/.ssh

Now add your public key. Replace the placeholder below with the full public key text you copied from PuTTYgen (the line starting with ssh-ed25519 AAAA... or ssh-rsa AAAA...):

Your public key: paste from PuTTYgen
Terminal — Ubuntu VPS
echo "YOUR_PUBLIC_KEY_HERE" >> ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys
ℹ️ Why these permissions?SSH is strict about file permissions. If ~/.ssh or authorized_keys is world-readable, SSH will silently refuse to use the key and fall back to password auth (or just deny access).

You can verify the key was added correctly by running:

Terminal — Ubuntu VPS
cat ~/.ssh/authorized_keys

You should see your public key printed as a single long line starting with ssh-ed25519 or ssh-rsa.

STEP 04

Configure PuTTY to Use Your Private Key

Now tell PuTTY where your private key lives so it presents it automatically when connecting.

  1. Open PuTTY and load (or create) your server session under Session → Saved Sessions.
  2. In the left panel, navigate to Connection → SSH → Auth → Credentials.
  3. Next to "Private key file for authentication", click Browse and select your .ppk file.
  4. Go back to Session at the top of the left panel and click Save to save the session with the key attached.
💡 Using Pageant?Pageant is PuTTY's SSH agent — it holds your decrypted private key in memory so you don't have to enter your passphrase every time. Right-click the Pageant tray icon → Add Key → select your .ppk. Any PuTTY session will pick it up automatically.
STEP 05

Test Key-Based Login

Before disabling password auth, verify the key actually works. Open PuTTY, load the saved session, and click Open. You should connect without being asked for a password (or only asked for your key passphrase, if you set one).

⚠️ Don't skip this stepDo not proceed to disabling passwords until you have successfully logged in using the key at least once. If you lock yourself out, you'll need console/rescue access through your VPS provider to recover.

If the login fails, common causes are:

  1. The public key wasn't saved to authorized_keys correctly — check with cat ~/.ssh/authorized_keys
  2. Wrong file permissions — re-run the chmod commands from Step 3
  3. PuTTY is pointing to the wrong .ppk file — double-check the path in Connection → SSH → Auth
  4. You're logging in as the wrong username — the authorized_keys file is per-user
STEP 06

Disable Password Authentication Recommended

Once key login works, disabling password auth closes the door on brute-force attacks entirely. A server exposed to the internet with passwords enabled will be hammered constantly by bots — you can watch it happen in /var/log/auth.log. Keys eliminate that attack surface.

Open the SSH daemon config file:

Terminal — Ubuntu VPS
sudo nano /etc/ssh/sshd_config

Find the following lines (use Ctrl+W in nano to search) and set them as shown. If a line is commented out (starts with #), uncomment it by removing the #:

/etc/ssh/sshd_config
# Disable password-based logins PasswordAuthentication no # Ensure public key auth is on (usually already yes) PubkeyAuthentication yes # Optional but recommended: disable root login entirely PermitRootLogin no

Save the file with Ctrl+O, then Enter, then exit with Ctrl+X. Restart the SSH service to apply changes:

Terminal — Ubuntu VPS
sudo systemctl restart ssh
🚨 Do not close your current session yetAfter restarting SSH, open a new PuTTY window and confirm you can still log in. Only close your existing session once the new one is confirmed working. If the new login fails, you can still fix the config in your open session.

To confirm password authentication is truly disabled, you can check the running SSH config:

Terminal — Ubuntu VPS
sudo sshd -T | grep passwordauthentication

The output should be passwordauthentication no. If it still shows yes, check for an override in /etc/ssh/sshd_config.d/ — Ubuntu 22+ sometimes has a separate file in that directory that can override the main config.

Terminal — Ubuntu VPS
# Check for override files grep -r "PasswordAuthentication" /etc/ssh/sshd_config.d/
You're done!Your server now only accepts logins from someone holding the private key that matches the public key in authorized_keys. Brute-force password attacks are no longer a threat.
STEP 07

Remove the sudo Password Prompt Optional

By default, Ubuntu asks for your password every time you run a sudo command. Since you've already secured server access behind SSH keys, you may want to remove this extra friction — especially useful for scripting or frequent admin work. This is done by editing the sudoers file via visudo, which validates the syntax before saving (preventing you from accidentally locking yourself out of sudo).

⚠️ Always use visudo — never edit sudoers directlyvisudo locks the file and checks for syntax errors before writing. Editing /etc/sudoers directly with nano or vim risks a broken sudoers file that locks you out of all administrative commands.

Open the sudoers file:

Terminal — Ubuntu VPS
sudo visudo

This opens the sudoers file in your default terminal editor (usually nano). Choose one of the two approaches below depending on how broadly you want to apply the change.

Option A Specific User Only

Type your username into the field below, then copy the generated line and add it at the very end of the sudoers file (scroll down past all existing content).

Your username: the Linux account you log in as
Add to end of sudoers file
username ALL=(ALL:ALL) NOPASSWD: ALL
Option B All Users in the sudo Group

Find the existing line that starts with %sudo and modify it so it reads exactly as below. This removes the password requirement for every user in the sudo group, so only use this if all sudo-group members on the server should have passwordless access.

Find this line in sudoers
# Change FROM this: %sudo ALL=(ALL:ALL) ALL
Replace with this
%sudo ALL=(ALL:ALL) NOPASSWD: ALL

Save and exit: Ctrl+OEnterCtrl+X. visudo will validate the syntax before writing — if there's an error it will warn you and give you the option to re-edit rather than saving a broken file.

Test immediately in a new terminal window without closing your current session:

Terminal — Ubuntu VPS
sudo whoami

If it prints root without prompting for a password, you're all set.

💡 Prefer a middle ground?You can allow passwordless sudo only for specific commands instead of all of them. For example, to allow passwordless systemctl restarts only: username ALL=(ALL) NOPASSWD: /bin/systemctl. This gives convenience without full blanket access.