Step-by-step guides for SSH on macOS
How to generate and use SSH keys on a Mac
From `ssh-keygen` to passwordless servers in 5 minutes — covers ed25519, ssh-agent, the Apple Keychain, and SSHive integration.
Estimated time: 5 minutes
Password authentication for SSH is a security smell — bots scan port 22 looking for weak passwords 24/7. SSH key authentication replaces "something you know" with "something you have", and once configured, you also stop typing passwords every time you connect. This guide gets you from no keys to a passwordless production server in 5 minutes, using ed25519 (the modern, fast, short keypair) and SSHive's built-in key management.
Step-by-step
- 1
Generate the keypair (one-time, in any terminal)
SSHive does not embed a key generator — keep one source of truth at `~/.ssh/`. Open Terminal.app (or SSHive's built-in local terminal via Cmd+T) and run `ssh-keygen -t ed25519 -C "your-email@example.com"`. Press Enter to accept the default path (`~/.ssh/id_ed25519`). Set a passphrase — the macOS Keychain will remember it via SSHive's safeStorage so you only type it once. - 2
Copy the public key to the server (last time you type the password)
Run `ssh-copy-id user@host` and authenticate with the password one last time. The command appends your public key to `~/.ssh/authorized_keys` on the server. From now on the server accepts the key. - 3
Wire the key into a SSHive profile (3 clicks)
Open the profile dialog. The Authentication block has three radios: Password, Private Key, Agent. Pick **Private Key**. The "Browse" button opens the macOS file picker — navigate to `~/.ssh/id_ed25519`. The selected path appears in a read-only field with a green ✓ if SSHive can read it (or an orange ⚠ if the sandbox needs you to re-pick the file to mint a security-scoped bookmark). Tick "Protected by passphrase" if applicable, type the passphrase once, save. - 4
Where SSHive stores what — a 4-line summary
The key file path lives in `profiles.json` (just a path, in clear). The macOS sandbox bookmark for the file lives in the same JSON as `privateKeyBookmark` (binary). The passphrase lives in macOS Keychain via Electron safeStorage under `${profileId}:passphrase`. The plaintext password (if you used Password auth) lives in safeStorage under `${profileId}`. Touch ID prompt? macOS shows it automatically the first time SSHive's safeStorage touches the Keychain — SSHive itself does not call Touch ID directly. - 5
Lock down password auth on the remote
Once SSHive connects with the key, harden the server: edit `/etc/ssh/sshd_config`, set `PasswordAuthentication no`, reload sshd (`sudo systemctl reload ssh`). Now nothing on that server accepts a password — bots scanning port 22 give up. Note: same auth options work in Free and Pro — there is no Pro gating on password / key / agent.
Frequently asked questions
Should I use RSA, ECDSA, or ed25519?+
ed25519 is the right answer in 2026: faster, shorter, no known cryptographic weaknesses. Use RSA 4096 only when connecting to ancient OpenSSH versions (< 6.5) that don't support ed25519. Avoid ECDSA — it has more failure modes than ed25519.
Where are my SSH keys stored on macOS?+
The keys themselves stay where ssh-keygen puts them — `~/.ssh/`. The passphrase that unlocks an encrypted key is what ends up in the macOS Keychain (via `--apple-use-keychain` or SSHive's safeStorage integration). The private key file is yours to back up — losing it locks you out of every server you copied it to.
Related SSHive features
Common use cases
Connect to a Raspberry Pi from your Mac
Everything you need to manage a Pi from macOS — SSH, SFTP, VNC, and tunnels — in one native app.
Manage AWS EC2 instances from your Mac
Connect to public and private EC2 instances with PEM keys, jump hosts, and tunnels — all from one native macOS app.
Manage your home server from your Mac
One app for everything in your home lab — SSH, SFTP, VNC, and secure tunnels for Plex, Home Assistant, Nextcloud, and more.
Try SSHive Free for macOS
Get the all-in-one SSH, SFTP, RDP and VNC client for Mac. Free download, no signup required.
Download SSHive Free