How SSH Key Pairs Work

To use key authentication, you must first have a key pair: a public key and a corresponding private key. You can either use an existing key pair or generate a new one. Typically, you only generate an SSH key pair one time and only change the key pair if it might have been compromised or when using a key to access systems with different encryption standards. Not all key pairs are compatible with OpenSSH and you might need to convert keys as required. For example, keys generated using the PuTTY ssh client software aren't directly compatible with OpenSSH and might need to be converted before use. See the client software documentation if you're unsure about key format.

After you have obtained a key pair, copy the public key to any server to which you want to connect. Then to connect to the server, provide the matching private key. You can store the private key on a single client that you use to access the servers. For security, avoid copying the private key to several locations.

When generating key pairs, you can either configure them to have a password or not. Key pairs that don't have passphrases, can help with scripted automation as they can access remote systems instantly so you won't need to enter the passphrase each time you connect. However, using a key without a passphrase can be poor security practice. Instead, you can use SSH Agent to remember a key passphrase for the entire login session.

Consider using SSH Agent Forwarding to connect from trusted system to trusted system, or use the ProxyJump command option where you might need to connect to another system through an untrusted or heavily shared bastion host.