{ "slug": "ssh_keys", "term": "SSH Keys", "category": "linux", "difficulty": "beginner", "short": "Asymmetric cryptographic key pairs used for passwordless SSH authentication — the public key is placed on servers, the private key never leaves your machine.", "long": "SSH key authentication uses a private key (kept secret) and a public key (placed in ~/.ssh/authorized_keys on the server). Authentication works by the server sending a challenge encrypted with the public key; only the holder of the private key can decrypt and respond. Ed25519 is the current recommended algorithm — compact, fast, and secure. RSA 4096 is acceptable. Keys should be protected with a passphrase; use ssh-agent to avoid re-entering it.", "aliases": [ "SSH keypair", "public key authentication" ], "tags": [ "linux", "security", "devops", "ssh" ], "misconception": "Sharing your SSH public key is a security risk — public keys are designed to be shared; only the private key must be protected.", "why_it_matters": "SSH keys are stronger than passwords and immune to brute force — servers should disable password authentication entirely and require key-based auth.", "common_mistakes": [ "Using RSA 1024 or RSA 2048 — use Ed25519 or RSA 4096 minimum.", "Not setting a passphrase on private keys — an unencrypted key file found anywhere grants full access.", "Not using ssh-agent — repeatedly decrypting the key passphrase manually, or worse, removing the passphrase.", "Leaving password authentication enabled alongside key auth — brute force still possible." ], "when_to_use": [], "avoid_when": [], "related": [ "linux_file_permissions", "defence_in_depth", "principle_of_least_privilege" ], "prerequisites": [ "linux_user_management", "asymmetric_encryption", "security_by_design" ], "refs": [ "https://www.ssh.com/academy/ssh/keygen" ], "bad_code": "# Insecure SSH setup:\nssh-keygen -t rsa -b 1024 # Too short\n# No passphrase set\n# /etc/ssh/sshd_config:\nPasswordAuthentication yes # Still allows password login", "good_code": "# Secure SSH key generation:\nssh-keygen -t ed25519 -C 'deploy@company.com'\n# Enter strong passphrase\neval $(ssh-agent)\nssh-add ~/.ssh/id_ed25519 # Cache passphrase for session\n\n# /etc/ssh/sshd_config:\nPasswordAuthentication no\nPubkeyAuthentication yes\nPermitRootLogin no", "quick_fix": "Generate ed25519 keys (ssh-keygen -t ed25519), disable password authentication (PasswordAuthentication no in sshd_config), and require SSH key authentication for all server access", "severity": "high", "effort": "low", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/ssh_keys", "html_url": "https://codeclaritylab.com/glossary/ssh_keys", "json_url": "https://codeclaritylab.com/glossary/ssh_keys.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[SSH Keys](https://codeclaritylab.com/glossary/ssh_keys) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/ssh_keys" } } } }