SSH Client Configuration

Allowed Key Types and security

SSH authentication has been configured following the security guidelines from Mozilla OpenSSH 6.7+

Weak key types, algorithms, ciphers, and MACs are denied.

Specifically, the following types are allowed:

  • rsa with key length >= 2048
  • ecdsa
  • ed25519

Any modern key should work, but if you have a very old key, it may be of an old type, or of insufficient length.

Key Generation


Most importantly, set a passphrase. Usage of this key both allows access, and identifies the user as you. If your key is lost or stolen, you may be responsible for actions taken.

Key types

We recommend ed25519 keys, mostly due to ease of use, as they can be both secure and quite short.

Using OpenSSH >= 6.7: ssh-keygen -a 100 -t ed25519

Key Installation


The easiest way is to create a ~/.ssh/config file, that looks like the following:

Host *
IdentityFile ~/.ssh/id_ed25519
IdentitiesOnly yes

Customize to your needs.

  • Host specifies that this will be applied for anything in the domain
  • User is the username to use
  • IdentityFile specifies the path to the private key to use. It must have permissions 600.
  • IdentitiesOnly tells the client to only use the key specified. Our servers will deny access if too many different keys are attempted in one connection.

For convenience, you can use ssh-agent to automatically unlock and apply your key configuration based on your desktop login session. This may be done automatically on some distros, such as Ubuntu 18.04 Desktop


You can follow the same steps as for linux, if using the built-in ssh client and terminal emulators.

You can configure your keyring to unlock your ssh keys, so again, please use keys with passphrases.


Common ssh clients for Windows:

For all of these, please make sure to generate or export your public key in "OpenSSH" format, as it will be applied on a Linux server.

Removing or changing keys

Once logged in, your allowed public keys are listed in the file ~/.ssh/authorized_keys

The profile management page on the website reflects this file.

Please do not delete the first key on this list, as this allows moving between cosmos machines, such as console and gateway, but does not affect external access. If missing, it will be re-generated periodically.

If you remove ALL keys, you must upload a new one via the webUI, as you will have no other way to access the systems.

Last modified 13 months ago Last modified on 02/16/19 22:11:51