CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

SSH Keys

Linux Beginner
debt(d5/e3/b3/t3)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). The detection_hints list lynis and ssh-audit as the tools that catch misconfigurations such as password authentication still enabled, weak RSA key sizes, missing passphrases, and root login permitted. These are specialist security audit tools rather than default linters or compilers, and the issues are silent in production unless someone actively runs these tools.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix is well-defined: run ssh-keygen -t ed25519, set PasswordAuthentication no in sshd_config, and enforce key-based auth. This is a small, focused set of changes within one configuration file and one key generation step — no cross-cutting refactor required, but it is more than a single one-line patch because it touches key generation, sshd_config, and authorized_keys distribution.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). SSH key management applies to the CLI/server access context. Once correctly configured (Ed25519 keys, disabled password auth, passphrases with ssh-agent), the ongoing burden is modest — mainly onboarding new developers or rotating keys. It doesn't pervade application code or shape architectural decisions broadly.

t3 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'minor surprise' (t3). The canonical misconception per the metadata is that sharing a public key is a security risk — it isn't; public keys are designed to be shared. This is a single, well-known edge-case misunderstanding rather than a deep conceptual trap. Competent developers generally learn this quickly, making it a minor rather than serious surprise.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-11 · reviewed by human

Also Known As

SSH keypair public key authentication

TL;DR

Asymmetric cryptographic key pairs used for passwordless SSH authentication — the public key is placed on servers, the private key never leaves your machine.

Explanation

SSH key authentication uses a private key (kept secret) and a public key (placed in ~/.ssh/authorized_keys on the server). Authentication works by the server sending a challenge encrypted with the public key; only the holder of the private key can decrypt and respond. Ed25519 is the current recommended algorithm — compact, fast, and secure. RSA 4096 is acceptable. Keys should be protected with a passphrase; use ssh-agent to avoid re-entering it.

Common Misconception

Sharing your SSH public key is a security risk — public keys are designed to be shared; only the private key must be protected.

Why It Matters

SSH keys are stronger than passwords and immune to brute force — servers should disable password authentication entirely and require key-based auth.

Common Mistakes

  • Using RSA 1024 or RSA 2048 — use Ed25519 or RSA 4096 minimum.
  • Not setting a passphrase on private keys — an unencrypted key file found anywhere grants full access.
  • Not using ssh-agent — repeatedly decrypting the key passphrase manually, or worse, removing the passphrase.
  • Leaving password authentication enabled alongside key auth — brute force still possible.

Code Examples

✗ Vulnerable 
# Insecure SSH setup:
ssh-keygen -t rsa -b 1024  # Too short
# No passphrase set
# /etc/ssh/sshd_config:
PasswordAuthentication yes  # Still allows password login
✓ Fixed 
# Secure SSH key generation:
ssh-keygen -t ed25519 -C 'deploy@company.com'
# Enter strong passphrase
eval $(ssh-agent)
ssh-add ~/.ssh/id_ed25519  # Cache passphrase for session

# /etc/ssh/sshd_config:
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no
Added 15 Mar 2026
Edited 22 Mar 2026
Views 40

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 1 ping T 1 ping W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Amazonbot 10 Perplexity 4 Ahrefs 4 Unknown AI 3 Bing 3 Google 2 Claude 2 ChatGPT 2 Scrapy 2 Meta AI 1
Also referenced
Defence in Depth 64 Principle of Least Privilege 54 Linux File Permissions 53
How they use it
crawler 28 crawler_json 4 pre-tracking 1
Related categories
general 3k linux 936
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Low
⚡ Quick Fix
Generate ed25519 keys (ssh-keygen -t ed25519), disable password authentication (PasswordAuthentication no in sshd_config), and require SSH key authentication for all server access
📦 Applies To
any cli
🔗 Prerequisites
🔍 Detection Hints
SSH password authentication enabled on production; RSA keys older than 3072 bits; no passphrase on deployment keys; root login permitted via SSH
Auto-detectable: ✓ Yes lynis ssh-audit
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✗ Manual fix Fix: Medium Context: File
CWE-321 CWE-798
✓ schema.org compliant