CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

SSH Keys

linux Beginner

Also Known As

SSH keypair public key authentication

TL;DR

Asymmetric cryptographic key pairs used for passwordless SSH authentication — the public key is placed on servers, the private key never leaves your machine.

Explanation

SSH key authentication uses a private key (kept secret) and a public key (placed in ~/.ssh/authorized_keys on the server). Authentication works by the server sending a challenge encrypted with the public key; only the holder of the private key can decrypt and respond. Ed25519 is the current recommended algorithm — compact, fast, and secure. RSA 4096 is acceptable. Keys should be protected with a passphrase; use ssh-agent to avoid re-entering it.

Common Misconception

Sharing your SSH public key is a security risk — public keys are designed to be shared; only the private key must be protected.

Why It Matters

SSH keys are stronger than passwords and immune to brute force — servers should disable password authentication entirely and require key-based auth.

Common Mistakes

  • Using RSA 1024 or RSA 2048 — use Ed25519 or RSA 4096 minimum.
  • Not setting a passphrase on private keys — an unencrypted key file found anywhere grants full access.
  • Not using ssh-agent — repeatedly decrypting the key passphrase manually, or worse, removing the passphrase.
  • Leaving password authentication enabled alongside key auth — brute force still possible.

Code Examples

✗ Vulnerable 
# Insecure SSH setup:
ssh-keygen -t rsa -b 1024  # Too short
# No passphrase set
# /etc/ssh/sshd_config:
PasswordAuthentication yes  # Still allows password login
✓ Fixed 
# Secure SSH key generation:
ssh-keygen -t ed25519 -C 'deploy@company.com'
# Enter strong passphrase
eval $(ssh-agent)
ssh-add ~/.ssh/id_ed25519  # Cache passphrase for session

# /etc/ssh/sshd_config:
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no
Added 15 Mar 2026
Edited 22 Mar 2026
Views 21

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 3 pings S 0 pings S 1 ping M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 2 pings S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 1 ping F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Amazonbot 8 Perplexity 4 Unknown AI 3 Ahrefs 2 Google 2
Also referenced
Defence in Depth 29 Linux File Permissions 24 Principle of Least Privilege 23
How they use it
crawler 17 crawler_json 1 pre-tracking 1
Related categories
general 1.4k linux 474
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Low
⚡ Quick Fix
Generate ed25519 keys (ssh-keygen -t ed25519), disable password authentication (PasswordAuthentication no in sshd_config), and require SSH key authentication for all server access
📦 Applies To
any cli
🔗 Prerequisites
🔍 Detection Hints
SSH password authentication enabled on production; RSA keys older than 3072 bits; no passphrase on deployment keys; root login permitted via SSH
Auto-detectable: ✓ Yes lynis ssh-audit
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✗ Manual fix Fix: Medium Context: File
CWE-321 CWE-798
✓ schema.org compliant