Every time you SSH into an EC2 instance with a .pem key, you have to pass the -i flag and the full path to the key file. With passwordless SSH login on EC2 Ubuntu 22.04, you generate a key pair on your local machine, copy the public key to the server, and connect with just ssh ubuntu@your-server.
The examples here are run on WSL2 Ubuntu in Windows, but they work the same on any Linux or macOS system.
Prerequisites
- An EC2 instance running Ubuntu 22.04 — follow How to deploy EC2 Ubuntu 22.04 LTS on AWS if you need one
- SSH access to the instance (using your existing
.pemkey) - The instance’s public IP or DNS name
Step 1: Generate an SSH Key Pair
On your local machine, generate a new SSH key pair. Ed25519 is the recommended algorithm — it’s faster and more secure than RSA with shorter keys:
ssh-keygen -t ed25519 -C "you@example.com"Press Enter to accept the default file location (~/.ssh/id_ed25519). You can set a passphrase or leave it empty for fully passwordless access.
This creates two files:
~/.ssh/id_ed25519— your private key (never share this)~/.ssh/id_ed25519.pub— your public key (this goes on the server)
If your server or tooling requires RSA, use this instead:
ssh-keygen -t rsa -b 4096 -C "you@example.com"Step 2: Copy the Public Key to EC2
The easiest way to transfer your public key is ssh-copy-id. Since EC2 instances use a .pem key for initial access, pass it with -i:
ssh-copy-id -i ~/.ssh/id_ed25519.pub -o "IdentityFile=~/path/to/your-key.pem" ubuntu@203.0.113.10-i ~/.ssh/id_ed25519.pub— the public key to copy-o "IdentityFile=..."— authenticates with your existing.pemkey for this transfer
This appends your public key to ~/.ssh/authorized_keys on the server and sets the correct file permissions automatically.
Manual method (if ssh-copy-id is not available)
If ssh-copy-id isn’t installed on your system, copy the key manually:
cat ~/.ssh/id_ed25519.pub | ssh -i ~/path/to/your-key.pem ubuntu@203.0.113.10 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"This creates the .ssh directory if it doesn’t exist, appends the public key, and sets the correct permissions.
Step 3: Test the Connection
Connect without specifying the .pem key:
ssh ubuntu@203.0.113.10You should get a shell prompt immediately — no password, no -i flag. If it still asks for a password or falls back to the .pem key, see the troubleshooting section below.
Step 4: Set Up an SSH Config Shortcut
To avoid typing the full IP address and username every time, add an entry to your SSH config file:
nano ~/.ssh/configAdd this block:
Host my-ec2
HostName 203.0.113.10
User ubuntu
IdentityFile ~/.ssh/id_ed25519Set the correct permissions on the config file:
chmod 600 ~/.ssh/configNow you can connect with:
ssh my-ec2This also works with scp, rsync, and any tool that uses SSH. For example, syncing files becomes rsync -avz ./app/ my-ec2:/home/ubuntu/app/. See How to Copy Files to Amazon EC2 Ubuntu Instance Using Rsync for more on this.
Required File Permissions
SSH is strict about file permissions. If they’re wrong, SSH silently ignores your key and falls back to password authentication. These are the correct permissions:
| File / Directory | Permission | Command |
|---|---|---|
~/.ssh/ (directory) |
700 | chmod 700 ~/.ssh |
~/.ssh/authorized_keys |
600 | chmod 600 ~/.ssh/authorized_keys |
~/.ssh/id_ed25519 (private key) |
600 | chmod 600 ~/.ssh/id_ed25519 |
~/.ssh/config |
600 | chmod 600 ~/.ssh/config |
On the server, also make sure the home directory itself isn’t group-writable:
chmod 755 /home/ubuntuTroubleshooting
Still asked for a password
Run SSH in verbose mode to see what’s happening:
ssh -v ubuntu@203.0.113.10Look for lines like Offering public key and Server accepts key. If your key isn’t being offered, check that it’s in ~/.ssh/ with the correct permissions. If the server rejects it, check authorized_keys permissions on the server.
Permission denied (publickey)
This usually means:
- The public key in
authorized_keysdoesn’t match your local private key - File permissions are wrong (see the table above)
- The home directory is group-writable — fix with
chmod 755 /home/ubuntu
Multiple keys and wrong key offered
If you have multiple keys in ~/.ssh/, SSH tries them in order and may hit the server’s MaxAuthTries limit before reaching the right one. Use the SSH config file (Step 4) to specify which key to use for each host.
Conclusion
With your SSH key pair set up and an SSH config shortcut in place, connecting to your EC2 instance takes a single ssh my-ec2 command. No passwords, no -i flags, no long IP addresses.
If you need to set up SSH access for multiple users on the same instance, see How to Add and Delete Users on EC2 Ubuntu 22.04. To push to Git repositories without authentication prompts using the same SSH key approach, check out How to Configure Git Pushes Without Authentication Prompts.
