Our system does not access your site's filesystem until after you have authenticated yourself. Also, correct authentication depends on both member name and site (since more than one member name may have permission to access a given site and a given member name may be able to access more than one site). Therefore, you cannot place a public key file in your site's filesystem to bypass password authentication.
Instead, we keep a separate keychain for each member. To use an ssh public key, you can add it to your keychain on the profile tab.
Once installed into your membership's keychain, an ssh key will authenticate you for any site you are authorized to access, including your sites and any sites you may have adjunct access to.
Per current best security practices, here are the key types we support:
- Ed25519 keys are supported. We strongly recommend the use of Ed25519 keys.
- ECDSA keys of 256 and 521 bits (521 recommended) are supported. (Recommended for low-power devices if Ed25519 is not available.)
- RSA keys of 2048+ bits (4096+ recommended) not on the Debian weak key blacklist are supported, but not encouraged.
DSA/DSS ("ssh-dss") keys are not supported at all. This is a US government FIPS standard developed by the NSA and intended only for low-security usage. (Read: they are probably not secure.)
If you use an RSA key, you must use a client that supports RFC8332 for SHA-256 (rsa-sha2-256) and SHA-512 (rsa-sha2-512) signatures. As of 2021, our servers no longer accept RSA keys with SHA-1 signatures because they are demonstrably insecure. If you run into that issue, please update your OpenSSH client and/or consider switching to faster, safer Ed25519 keys.