Connect over SSH with a key instead of a password

An SSH key is a far better way to log in than a password: nothing to type each time, nothing to brute-force, and you can revoke it without changing your account password. Bifrost can create one for you and install it on the server in a single step — no Terminal required.

The easy way: let Bifrost generate the key

In the Credentials manager, click the key button in the toolbar to open Generate an SSH key. You get:

  • Name — how the key appears in Bifrost.
  • Comment — a label embedded in the public key (defaults to you@your-mac), handy to recognise it in a server’s authorized_keys.
  • Install on a server — toggle this on and fill in host, port, username and your current password. Bifrost connects once with that password and appends the new public key to ~/.ssh/authorized_keys for you (the equivalent of ssh-copy-id), creating ~/.ssh with the right permissions if needed.

Bifrost generates a modern Ed25519 key, stores the private key in its own app container, and can immediately bind it to a connection. From then on, that connection logs in with the key — no password prompt.

This is the recommended path: it works on the Mac App Store version, and you never touch the command line.

Using more than one Mac? Turn on Sync SSH Keys in Settings → iCloud and the keys Bifrost generates travel securely (via the iCloud Keychain) to your other Macs, so the same connection just works everywhere — see Sync your connections across Macs with iCloud.

Already have a key? Use the SSH agent

If you already have a key on your Mac (from another tool, a teammate, an RSA key from an older server…), the cleanest way to use it in Bifrost is the SSH agent. Load your key once:

ssh-add --apple-use-keychain ~/.ssh/your_key

--apple-use-keychain stores the passphrase in the macOS Keychain, so the key unlocks automatically on every login. Set the connection’s Authentication to SSH key, and Bifrost will offer the agent’s keys automatically — no need to point at a file.

The agent route works with any key type the agent can hold (Ed25519, ECDSA, RSA), and it handles passphrase-protected keys for you. It’s the right way to use an RSA key.

Supported key types

Bifrost works with the standard SSH key types. Which ones you can use depends on how the key reaches Bifrost:

Key typeGenerated by BifrostVia the SSH agent
Ed25519
ECDSA (p256/384/521)
RSA
  • Bifrost generates Ed25519 — the modern default: short, fast, and secure.
  • The SSH agent accepts any type — Ed25519, ECDSA or RSA, in whatever format the key is in on disk — and it handles passphrase-protected keys for you. That’s how you bring an existing key, including an older RSA one.

Installing a public key on a server manually

If you’d rather do it by hand, append your public key (~/.ssh/your_key.pub, the single ssh-ed25519 … or ssh-rsa … line) to ~/.ssh/authorized_keys on the server, one key per line. Permissions matter or SSH silently refuses the key:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Troubleshooting: “Permission denied (publickey)”

This means the server didn’t accept your key. Check, in order:

  • Public key really on the server — confirm your .pub line is in the server’s ~/.ssh/authorized_keys, under the account you’re connecting as.
  • Permissions~/.ssh must be 700 and authorized_keys 600, owned by that user. SSH ignores keys in world-writable directories.
  • Right username — the key lives under a specific account’s authorized_keys; connect as that user.
  • Using the agent? — run ssh-add -l to confirm the key is actually loaded, and that the matching public key is on the server.

To see exactly why a login is refused, run a verbose login from Terminal and read the last lines:

ssh -v user@server
← All guides