SSH Keys

SSH keys provide secure, password-less authentication to your ClawBook VPS. This guide covers key generation, deployment, and management.

Why Use SSH Keys?

Feature	Password	SSH Key
Security	Vulnerable to brute force	Nearly impossible to crack
Convenience	Type every time	Automatic login
Automation	Difficult	Easy
Revocation	Change password everywhere	Remove single key

Key Types

Type	Security	Compatibility	Recommendation
Ed25519	Excellent	Modern systems	Recommended
RSA 4096	Excellent	Universal	Good fallback
ECDSA	Good	Most systems	OK
RSA 2048	Adequate	Universal	Minimum
DSA	Weak	Legacy	Don't use

Generating SSH Keys

Ed25519 (Recommended)

ssh-keygen -t ed25519 -C "your@email.com"

RSA 4096 (Compatibility)

ssh-keygen -t rsa -b 4096 -C "your@email.com"

Interactive Prompts

Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/you/.ssh/id_ed25519): [Enter]
Enter passphrase (empty for no passphrase): [strong passphrase]
Enter same passphrase again: [repeat]

Always use a passphrase for security.

Generated Files

~/.ssh/
├── id_ed25519      # Private key (NEVER share)
└── id_ed25519.pub  # Public key (safe to share)

Deploying Keys

Linux/macOS

ssh-copy-id root@YOUR_VPS_IP

Windows PowerShell

# Display public key
Get-Content ~/.ssh/id_ed25519.pub

# Connect and add manually
ssh root@YOUR_VPS_IP
mkdir -p ~/.ssh
echo "YOUR_PUBLIC_KEY" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
exit

Manual Method

# On local machine, display public key
cat ~/.ssh/id_ed25519.pub

# On server
nano ~/.ssh/authorized_keys
# Paste the public key
# Save and exit

# Set permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Testing Key Authentication

ssh root@YOUR_VPS_IP

You should connect without entering the server password (only your key passphrase if set).

Disabling Password Authentication

Only after confirming key login works:

# Edit SSH config
sudo nano /etc/ssh/sshd_config

# Set these options:
PasswordAuthentication no
PermitRootLogin prohibit-password
PubkeyAuthentication yes
ChallengeResponseAuthentication no
UsePAM no

# Restart SSH
sudo systemctl restart sshd

Keep Current Session Open

Test in a new terminal before closing your current session.

Managing Multiple Keys

Different Keys for Different Servers

# Generate server-specific key
ssh-keygen -t ed25519 -f ~/.ssh/clawbook_key -C "clawbook@example.com"

# Add to SSH config
nano ~/.ssh/config

Host clawbook
    HostName YOUR_VPS_IP
    User root
    IdentityFile ~/.ssh/clawbook_key

Host work-server
    HostName work.example.com
    User admin
    IdentityFile ~/.ssh/work_key

Now connect with:

ssh clawbook

SSH Agent

Cache your key passphrase:

# Start agent
eval "$(ssh-agent -s)"

# Add key
ssh-add ~/.ssh/id_ed25519

# Verify
ssh-add -l

Key Rotation

Rotate keys periodically for security:

Generate New Key

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_new -C "your@email.com"

Add New Key to Server

ssh-copy-id -i ~/.ssh/id_ed25519_new.pub root@YOUR_VPS_IP

Test New Key

ssh -i ~/.ssh/id_ed25519_new root@YOUR_VPS_IP

Remove Old Key

# On server
nano ~/.ssh/authorized_keys
# Delete line with old key

Replace Local Key

mv ~/.ssh/id_ed25519 ~/.ssh/id_ed25519_old
mv ~/.ssh/id_ed25519_new ~/.ssh/id_ed25519
mv ~/.ssh/id_ed25519_new.pub ~/.ssh/id_ed25519.pub

Revoking Access

Remove Single Key

# On server
nano ~/.ssh/authorized_keys
# Find and delete the specific key line

Identify Keys

Each key has a comment at the end:

ssh-ed25519 AAAA...xyz your@email.com

Remove All Keys

# Nuclear option - removes all authorized keys
rm ~/.ssh/authorized_keys

warning

Ensure you have another way to access the server before doing this.

Security Best Practices

Key Protection

Use strong passphrases - 20+ characters
Never share private keys - Even with colleagues
Use different keys - Per device and per purpose
Backup keys securely - Encrypted storage only
Rotate regularly - Every 6-12 months

Passphrase Tips

Good passphrase:

correct-horse-battery-staple-2026!

Bad passphrase:

password123

Physical Security

Don't leave sessions logged in
Lock your computer
Use full disk encryption
Don't store keys on shared computers

Troubleshooting

Permission Denied (publickey)

# Check key is being offered
ssh -v root@YOUR_VPS_IP

# Verify permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub

# On server
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Agent Forwarding Issues

# Enable in SSH config
Host clawbook
    ForwardAgent yes

# Or use -A flag
ssh -A root@YOUR_VPS_IP

Key Not Accepted

Check:

Key is in authorized_keys
Permissions are correct
Key type is supported
PubkeyAuthentication yes in sshd_config

Wrong Key Being Used

Specify key explicitly:

ssh -i ~/.ssh/specific_key root@YOUR_VPS_IP

Advanced: Hardware Keys

YubiKey

Generate key on YubiKey:

ssh-keygen -t ed25519-sk -C "yubikey@example.com"

FIDO2 Keys

ssh-keygen -t ecdsa-sk -C "fido2@example.com"

Requires OpenSSH 8.2+ and compatible hardware.

Next Steps

Firewall - Protect your server
Security Best Practices - Complete guide
Troubleshooting - Fix issues

Why Use SSH Keys?​

Key Types​

Generating SSH Keys​

Ed25519 (Recommended)​

RSA 4096 (Compatibility)​

Interactive Prompts​

Generated Files​

Deploying Keys​

Linux/macOS​

Windows PowerShell​

Manual Method​

Testing Key Authentication​

Disabling Password Authentication​

Managing Multiple Keys​

Different Keys for Different Servers​

SSH Agent​

Key Rotation​

Generate New Key​

Add New Key to Server​

Test New Key​

Remove Old Key​

Replace Local Key​

Revoking Access​

Remove Single Key​

Identify Keys​

Remove All Keys​

Security Best Practices​

Key Protection​

Passphrase Tips​

Physical Security​

Troubleshooting​

Permission Denied (publickey)​

Agent Forwarding Issues​

Key Not Accepted​

Wrong Key Being Used​

Advanced: Hardware Keys​

YubiKey​

FIDO2 Keys​

Next Steps​