Stem Arboretum Logo
MENU
Learn

SSH Setup for MacBook -> Ubuntu on a Local Network

First posted:
23 May 2026, 7:23 PM AEST (GMT+10)
Last updated:
23 May 2026, 7:23 PM AEST (GMT+10)

Categories: CLI, Tech

Random Learn Random Similar Article

I have a MacBook Air that I use for various light-duty data analysis and bioinformatics tasks, but the storage and power is lacking. Instead, I have a powerful desktop PC that I built at home that I like to use for bioinformatics work. I've installed two SSDs in it: one for booting into Windows, and the other for Ubuntu Linux. Let's do most of the 'heavy lifting' on the Ubuntu machine so we can get the work done faster with fewer storage and memory bottlenecks.

Here is a procedure for establishing key-based SSH access from a macOS client to an Ubuntu host. My MacBook and Ubuntu machine share the same local network, and I've configured the router settings to assign each a static IP address.

Credentials:

Role Host Address User
Client MacBook 192.168.50.52 nick
Server Ubuntu 192.168.50.50 nick

1. Install and enable OpenSSH server on Ubuntu

The OpenSSH server package is not installed by default on Ubuntu Desktop. Install and enable it:

sudo apt update
sudo apt install openssh-server
sudo systemctl enable --now ssh

Verify the service is running and listening:

sudo systemctl status ssh
ss -tlnp | grep ':22'

The service unit is named ssh on Ubuntu (the daemon binary itself is sshd). See sshd(8) and the Ubuntu Server documentation, OpenSSH server [1].

If ufw is enabled, permit SSH:

sudo ufw status
sudo ufw allow OpenSSH

The OpenSSH application profile is shipped with the openssh-server package and opens TCP/22 [1].

2. Confirm reachability from the MacBook

From the MacBook terminal:

ping -c 3 192.168.50.50
ssh nick@192.168.50.50

On the first connection, ssh will print the server's host key fingerprint and prompt you to add it to ~/.ssh/known_hosts. Verify it (ideally by comparing against output of ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub run locally on the Ubuntu machine) before accepting. This step mitigates man-in-the-middle attacks on first use; see ssh(1), the StrictHostKeyChecking and known_hosts sections.

Authenticate using Nick's Ubuntu account password to confirm the path works before configuring key authentication.

3. Generate an SSH key pair on the MacBook

Check whether a usable key already exists:

ls -al ~/.ssh

If id_ed25519 and id_ed25519.pub are present, skip key generation. Otherwise, generate an Ed25519 key:

ssh-keygen -t ed25519 -C "nick@macbook"

A passphrase is recommended; pair it with ssh-agent (see Section 6) so it is only entered once per session.

On algorithm choice: Ed25519 is preferred over RSA for new keys. It produces shorter keys with comparable or stronger security and faster signature operations. It has been supported in OpenSSH since version 6.5 (January 2014) [2], well below the version shipped in any currently supported Ubuntu release.

4. Install the public key on the Ubuntu host

The simplest method is ssh-copy-id, which appends the key to ~/.ssh/authorized_keys on the server and sets the correct file permissions:

ssh-copy-id nick@192.168.50.50

ssh-copy-id is included with macOS's OpenSSH client. See ssh-copy-id(1).

Manual equivalent, if ssh-copy-id is unavailable or you want explicit control:

cat ~/.ssh/id_ed25519.pub | ssh nick@192.168.50.50 \
  'mkdir -p ~/.ssh && chmod 700 ~/.ssh && \
   cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys'

Permissions matter: sshd refuses to use authorized_keys if the file or its parent directory is group- or world-writable. See sshd(8), section AUTHORIZED_KEYS FILE FORMAT.

Confirm key authentication works:

ssh nick@192.168.50.50

You should be connected without a password prompt (or prompted only for the key's passphrase).

5. Configure the client for convenience

Create or edit ~/.ssh/config on the MacBook:

touch ~/.ssh/config
chmod 600 ~/.ssh/config

Add an entry:

Host ubuntu
    HostName 192.168.50.50
    User nick
    IdentityFile ~/.ssh/id_ed25519
    IdentitiesOnly yes

You can now connect with ssh ubuntu. IdentitiesOnly yes prevents the client from offering every key in your agent, which is useful when you accumulate multiple keys. See ssh_config(5).

6. (Recommended) Use ssh-agent with Keychain on macOS

macOS provides a built-in ssh-agent integrated with the system Keychain. To have the passphrase stored in Keychain and the key auto-loaded, extend the host entry:

Host ubuntu
    HostName 192.168.50.50
    User nick
    IdentityFile ~/.ssh/id_ed25519
    IdentitiesOnly yes
    UseKeychain yes
    AddKeysToAgent yes

UseKeychain is a macOS-specific OpenSSH client extension. On the first connection, you will be asked for the passphrase once; subsequent sessions will retrieve it from Keychain. See Apple's ssh_config manual page [3].

7. (Recommended) Harden the Ubuntu server

Once key authentication is verified to work, disable password authentication so the server is not exposed to password-guessing attempts. On the Ubuntu host:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Edit /etc/ssh/sshd_config and set or confirm:

PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no

Important caveat: Ubuntu 22.04 and later ship with a drop-in directory at /etc/ssh/sshd_config.d/, and the main file contains an Include /etc/ssh/sshd_config.d/*.conf directive. Settings in drop-in files override the main file, and OpenSSH uses the first value for any keyword. Notably, 50-cloud-init.conf may set PasswordAuthentication yes and will win over your change in the main file. Either edit the drop-in file or place your override in a file that sorts earlier (for example /etc/ssh/sshd_config.d/00-local.conf) [1].

Validate the configuration before reloading:

sudo sshd -t

Reload:

sudo systemctl reload ssh

Keep your existing SSH session open while you open a second session to confirm the new configuration still permits you in. If the second session fails, you can fix the configuration through the first.

8. Optional: stable addressing

The hard-coded IP 192.168.50.50 will only remain correct as long as the Ubuntu host receives the same address from your router. Two common approaches:

  1. Static DHCP reservation on the router, binding the Ubuntu machine's MAC address to 192.168.50.50. This is generally preferable to setting a static IP on the host itself, as it keeps allocation centralised.

  2. mDNS (hostname.local) via Avahi, which is installed and enabled by default on Ubuntu Desktop. macOS resolves .local names natively via Bonjour. You can typically connect via:

    bash ssh nick@<ubuntu-hostname>.local

    Confirm the hostname with hostnamectl on the Ubuntu machine.

9. Troubleshooting

Symptom Likely cause Diagnostic
Connection refused sshd not running or ufw blocking sudo systemctl status ssh; sudo ufw status
Permission denied (publickey) Wrong key offered, or bad permissions on ~/.ssh / authorized_keys ssh -v nick@192.168.50.50; check /var/log/auth.log on Ubuntu
Still prompted for password after ssh-copy-id Drop-in config overriding PasswordAuthentication, or authorized_keys mode wrong sudo sshd -T \| grep -i auth; ls -l ~/.ssh
Host key mismatch warning Server reinstalled or address now points to a different host If legitimate, remove the old entry: ssh-keygen -R 192.168.50.50

ssh -v (verbose), -vv, or -vvv on the client is the single most useful diagnostic for authentication failures.

References

[1] OpenSSH server — Ubuntu Server Documentation. https://documentation.ubuntu.com/server/how-to/security/openssh-server/

[2] OpenSSH 6.5 Release Notes — OpenSSH Project. https://www.openssh.com/txt/release-6.5

[3] ssh_config(5), Apple macOS manual page (man ssh_config on the MacBook).

Additional manual pages referenced throughout: ssh(1), sshd(8), ssh-keygen(1), ssh-copy-id(1), ssh_config(5), sshd_config(5). All are available locally via man <name> on either system.