SSH Keys
Use SSH key-based authentication for secure, password-free access to your servers. More secure than passwords and easier to manage.
What Are SSH Keys?
Simple Explanation: SSH keys are like digital keys that unlock your servers. Instead of typing passwords, your computer uses a secret key to prove your identity. Much more secure and convenient.
Why SSH keys?
Password Authentication:
✗ Can be guessed/cracked
✗ Need to type each time
✗ Weak passwords common
✗ Phishing vulnerable
SSH Key Authentication:
✓ Cannot be guessed
✓ Automatic login
✓ Strong by default
✓ Phishing resistant
Key Concepts
Public & Private Keys
How it works:
You generate TWO keys:
Private Key (Secret):
- Stays on your computer
- NEVER share this
- Like your house key
Public Key (Shareable):
- Goes on servers
- Safe to share
- Like a lock
Key Types
ED25519 (Recommended):
Type: ED25519
Size: 256-bit (fixed)
Speed: Very fast
Security: Excellent
Compatibility: Modern systems
Best for: Everything (default choice)
RSA:
Type: RSA
Size: 2048, 3072, 4096-bit
Speed: Slower than ED25519
Security: Good (with 4096-bit)
Compatibility: Universal
Best for: Legacy systems
ECDSA:
Type: ECDSA
Size: 256, 384, 521-bit
Speed: Fast
Security: Good
Compatibility: Most systems
Best for: Alternative to ED25519
Generating SSH Keys
Access Keychain
Main Menu → Keychain
or
Hosts Tab → Keychain button
Generate New Key
Step 1: Click Generate
┌────────────────────────────────────┐
│ SSH Keychain │
├────────────────────────────────────┤
│ [+ Generate New Key] │
│ │
│ Your Keys: 0 │
│ (No keys yet) │
└────────────────────────────────────┘
Step 2: Configure Key
┌────────────────────────────────────┐
│ Generate SSH Key │
├────────────────────────────────────┤
│ Key Name: * │
│ [My Personal Key ] │
│ │
│ Key Type: │
│ ● ED25519 (recommended) │
│ ○ RSA │
│ ○ ECDSA │
│ │
│ RSA Key Size: (if RSA selected) │
│ ○ 2048-bit │
│ ○ 3072-bit │
│ ● 4096-bit (recommended) │
│ │
│ Comment: │
│ [john@macbook ] │
│ │
│ Passphrase Protection: (optional) │
│ [ ] Add passphrase │
│ │
│ [Cancel] [Generate] │
└────────────────────────────────────┘
Step 3: Key Generated
✓ SSH Key Generated Successfully!
Name: My Personal Key
Type: ED25519
Fingerprint: SHA256:abc123...xyz789
Public Key:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA...
john@macbook
[Copy Public Key] [View Details] [Done]
Generate Options
Key Name:
Good names:
✓ "Personal - MacBook"
✓ "Work - Production Access"
✓ "GitHub - john@example.com"
✓ "Company Servers"
Bad names:
✗ "Key 1"
✗ "Test"
✗ "Untitled"
Passphrase Protection:
Add Passphrase:
[✓] Add passphrase
Passphrase:
[••••••••••]
Confirm:
[••••••••••]
Benefit: Extra security layer
Trade-off: Must enter passphrase
Why passphrase?
Without passphrase:
- Anyone with file can use key
- If laptop stolen, keys exposed
With passphrase:
- Need passphrase + file
- Stolen laptop protected
- Recommended for important servers
Managing SSH Keys
View Keys
Keychain list:
┌──────────────────────────────────────────┐
│ SSH Keychain [+ New] │
├──────────────────────────────────────────┤
│ 🔑 My Personal Key │
│ ED25519 | SHA256:abc123... │
│ Created: Jan 15, 2024 │
│ Last used: 2 hours ago │
│ [Copy Public Key] [Export] [Delete] │
├──────────────────────────────────────────┤
│ 🔑 Work - Production │
│ RSA 4096 | SHA256:def456... │
│ Created: Dec 10, 2023 │
│ Last used: 5 minutes ago │
│ [Copy Public Key] [Export] [Delete] │
├──────────────────────────────────────────┤
│ 🔑 GitHub Access │
│ ED25519 | SHA256:ghi789... │
│ Created: Nov 5, 2023 │
│ Last used: Never │
│ [Copy Public Key] [Export] [Delete] │
└──────────────────────────────────────────┘
Key Details
Click key to view:
┌────────────────────────────────────┐
│ SSH Key Details [✕] │
├────────────────────────────────────┤
│ Name: My Personal Key │
│ Type: ED25519 │
│ Size: 256-bit │
│ │
│ Fingerprint (SHA256): │
│ abc123def456ghi789jkl012mno345 │
│ [Copy] │
│ │
│ Fingerprint (MD5): │
│ 12:34:56:78:90:ab:cd:ef:12:34 │
│ [Copy] │
│ │
│ Public Key: │
│ ┌────────────────────────────────┐ │
│ │ssh-ed25519 AAAAC3NzaC1lZDI1... │ │
│ │...john@macbook │ │
│ └────────────────────────────────┘ │
│ [Copy Public Key] │
│ │
│ Comment: john@macbook │
│ Created: Jan 15, 2024 10:30 AM │
│ Last Used: 2 hours ago │
│ Used Count: 127 times │
│ │
│ Security: │
│ [✓] Passphrase protected │
│ [✓] Encrypted at rest │
│ │
│ [Edit] [Export] [Delete] │
└────────────────────────────────────┘
Copy Public Key
Quick copy:
Click "Copy Public Key" button
→ Public key copied to clipboard
→ Ready to paste on server
Use for:
- Adding to ~/.ssh/authorized_keys
- GitHub/GitLab settings
- Server control panels
Edit Key
Update key details:
Edit SSH Key:
Name:
[My Personal Key ]
Comment:
[john@macbook ]
Passphrase:
[ ] Change passphrase
Current: [••••••]
New: [••••••]
Confirm: [••••••]
[Save]
Delete Key
Remove key:
Delete SSH Key?
Name: Old Server Key
Type: RSA 2048
Last used: Never
⚠️ This will:
- Delete private key (cannot undo)
- Remove from keychain
- Hosts using this key won't connect
Recommendation:
- Remove from servers first
- Then delete from keychain
[Cancel] [Delete]
Using SSH Keys
Add Key to Host
When creating host:
New Host:
Name: [Production Server ]
Connection:
Host: [prod.example.com]
Port: [22]
User: [deploy]
Authentication:
● SSH Key
○ Password
SSH Key:
[My Personal Key ▼]
[Save]
Select from keychain:
SSH Key:
[Select key... ▼]
Available Keys:
○ My Personal Key (ED25519)
○ Work - Production (RSA 4096)
○ GitHub Access (ED25519)
● Generate new key...
● Import existing key...
Deploy Key to Server
Automatic deployment:
Right-click key → Deploy to Server
Deploy SSH Key:
Target Server:
[production.example.com ▼]
User:
[deploy ]
Authentication Method:
● Use password (once)
○ Use existing SSH key
Password:
[••••••••••]
[✓] Test connection after deploy
[✓] Remove password from host
[Deploy]
What happens:
1. Connects to server with password
2. Creates ~/.ssh directory (if needed)
3. Appends public key to authorized_keys
4. Sets correct permissions
5. Tests connection with key
6. Success! Password no longer needed
Importing SSH Keys
Import Existing Key
From file:
Keychain → Import Key
Import SSH Key:
Private Key File:
[Choose File...] id_rsa
or
Paste Key:
┌────────────────────────────────┐
│-----BEGIN OPENSSH PRIVATE KEY--│
│b3BlbnNzaC1rZXktdjEAAAAA... │
│-----END OPENSSH PRIVATE KEY----│
└────────────────────────────────┘
Key Name:
[Imported from Mac ]
If passphrase protected:
Passphrase:
[••••••••••]
[Import]
Import from System
From ~/.ssh/:
Import → From System
Found Keys:
[✓] ~/.ssh/id_ed25519
[ ] ~/.ssh/id_rsa
[✓] ~/.ssh/github_key
[Import Selected]
Exporting SSH Keys
Export Key
Save to file:
Right-click key → Export
Export SSH Key:
What to export:
[✓] Public key (.pub)
[✓] Private key
Format:
● OpenSSH (recommended)
○ PEM (legacy)
○ PuTTY (.ppk)
Location:
[Choose Folder...] ~/Documents/keys/
Files will be named:
- my-personal-key.pub
- my-personal-key (private)
⚠️ Keep private key secure!
[Export]
Export Public Key Only
Share public key:
Copy to clipboard → Paste to:
- Email
- Chat
- Server web UI
- GitHub/GitLab
Safe to share!
No security risk
SSH Key Security
Best Practices
1. Use ED25519:
Best choice:
Type: ED25519
Size: Default
Passphrase: Yes (recommended)
2. Passphrase Protection:
Always use passphrase for:
- Production servers
- Important accounts
- Shared computers
- Laptops (theft risk)
Skip passphrase for:
- Test servers
- Automation (CI/CD)
- Local development
3. Separate Keys:
Create separate keys for:
✓ Personal projects
✓ Work servers
✓ GitHub/GitLab
✓ Different clients
Don't use same key everywhere!
4. Regular Rotation:
Rotate keys:
- Every 6-12 months
- When employee leaves
- After security incident
- Device lost/stolen
Generate new → Deploy → Delete old
5. Backup Keys:
Backup private keys:
1. Export to encrypted drive
2. Store in password manager
3. Keep offline backup
4. Test restore process
Don't lose keys!
What NOT to Do
✗ Share private keys
✗ Email private keys
✗ Store unencrypted in cloud
✗ Reuse same key everywhere
✗ Use weak key (RSA 1024)
✗ No passphrase on production keys
✗ Commit keys to Git
✗ Save in unsecured locations
Troubleshooting
Key Not Working
Check:
1. Public key on server?
cat ~/.ssh/authorized_keys
2. Correct user?
Verify username matches
3. Correct key selected?
Check host configuration
4. Permissions correct?
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
5. SELinux/AppArmor blocking?
Check security policies
Permission Denied
Fix server permissions:
# On server
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chown user:user ~/.ssh -R
Passphrase Issues
Forgot passphrase:
Unfortunately:
- Passphrase cannot be recovered
- Private key unusable
- Must generate new key
Solution:
1. Generate new key pair
2. Deploy new public key
3. Delete old key
Key Won't Import
Check format:
Supported formats:
✓ OpenSSH format (default)
✓ PEM format
✓ PuTTY .ppk (converted)
If wrong format:
Convert with ssh-keygen or PuTTYgen
Advanced Features
Key Certificates
SSH certificates:
Certificate Authority (CA):
- Organization signs keys
- Centralized management
- Time-limited access
- Automatic expiry
Coming soon to Xermius!
Hardware Keys
YubiKey/hardware support:
Use hardware security keys:
- Key stored on device
- Cannot be extracted
- Physical authentication
- Maximum security
Setup in Advanced settings
Agent Forwarding
Forward keys to remote:
Use your keys through jump host:
Local → Jump Host → Target
Enable in host settings:
[✓] Enable agent forwarding
Caution: Only on trusted servers!
Quick Reference
Generate Key (Recommended)
Type: ED25519
Passphrase: Yes
Name: Descriptive
Comment: Your email
Deploy to Server
# On server:
mkdir -p ~/.ssh
chmod 700 ~/.ssh
nano ~/.ssh/authorized_keys
# Paste public key
chmod 600 ~/.ssh/authorized_keys
Verify Key
# Test connection:
ssh -i ~/.ssh/key_file user@server
# Should connect without password
Next Steps
- 🔐 Key Management - Advanced key management
- 🛡️ Security Settings - Security options
- 🔗 Authentication Methods - All auth methods
- 📘 Hosts - Configure hosts with keys