// learn Β· security Β· rhcsa Β· 10 min

How SSH key authentication works.

Public-key auth feels like magic β€” you put a file on a server and suddenly you can log in without a password. Underneath, it's a six-step handshake that proves you hold a secret without ever sending it across the wire.

How SSH key authentication works. Animated six-step handshake showing public/private key roles, challenge-response, signature verification, and channel establishment. Covers RHCSA EX200 security objectives.
// ssh key authentication

What actually happens between your laptop and the server when you type ssh user@host. Six steps that prove you hold a secret without sending it.

// before you start
you should know
  • Β·Comfort with running ssh from a terminal at least once
  • Β·A rough sense that some encryption uses one key, some uses two
  • Β·Helpful: the SSH Key Setup tool on this site, if you haven't generated a key yet
by the end you'll

Predict every message that crosses the wire during a key-auth login. Explain why the public key is safe to share and the private key isn't.

pace: 10 minutes

// arrows numbered to match lesson steps Β· steps 1 & 4 happen locally on each side, so only steps 2, 3, 5 and 6 appear as arrows crossing the wire.

ssh handshake β€” step 1 / 6 Β· the key pair
alice@laptop// clientserver.example// serverπŸ”’ private key~/.ssh/id_ed25519πŸ“€ public key~/.ssh/id_ed25519.pubπŸ€– ssh-agentsigns on your behalfπŸ“ authorized_keys/home/alice/.ssh/authorized_keysπŸ›‘ sshdssh daemon, port 222. offer public key3. random challenge5. signature6. encrypted shell channel
private (never leaves laptop)public (safe to share)sshd / ssh-agent process

Two halves of a math pair

An SSH key is two matching files. The private one stays on your laptop β€” keep it secret. The public one is safe to share, so you copy it onto every server you want to log in to. Anyone with the public key can CHECK a signature, but only the private key can MAKE one. That's the whole trick.

// key insight

The private key never crosses the network. Not even once. The whole protocol is designed around proving possession of the private key by signing something a watcher can't replay β€” which is why pasting your private key into a chat or an email is a wipe-the-key incident, while pasting the public key is fine.

// exam-ready Β· the SSH key commands and files
$ssh-keygen -t ed25519
$ssh-keygen -t ed25519 -C label
$ssh-copy-id user@host
$ssh-add ~/.ssh/id_ed25519
$ssh-add -l
$ssh-add -D
$ssh -v user@host
$ssh-keygen -lf KEY
$~/.ssh/id_ed25519
$~/.ssh/id_ed25519.pub
$~/.ssh/authorized_keys
$~/.ssh/known_hosts
$chmod 700 ~/.ssh
$chmod 600 ~/.ssh/id_ed25519
$/etc/ssh/sshd_config
$PasswordAuthentication no
// check yourself
4 quick questions
Q1

Why is it safe to paste your public key into a GitHub profile or send it in plaintext email?

Q2

Which file holds the PRIVATE key on your laptop?

Q3

Bob copies your ~/.ssh/authorized_keys file from the server to his laptop. Can he now log in as you?

Q4

What does ssh-agent do?

These aren't graded β€” they're just for active recall, which is what actually makes the lesson stick.

πŸ”‘
// now generate one

SSH Key Setup tool

Step-by-step walk-through for generating your first key with ssh-keygen, copying the public half to a server with ssh-copy-id, and configuring ~/.ssh/config so you never type the full host again.

open β†’
back to RHCSA trackall lessons