Q2. sshd
host keys should not be password protected. If they are, sshd
can't read them (unless you set up a host agent and preload it which is rare). This is because sshd
is designed to run in background and cannot get the password(s) from the user, especially because it is usually started automatically at boot before any user is even logged-in. Instead the files for the sshd
host key(s) should be secured against access by any userid other than the one which runs sshd
, normally root, and that userid should be well protected and not used unnecessarily.
Q1. sshd does not need a separate .pub
file because it can automatically compute the publickey from the privatekey. In contrast the client ssh
(unless using an agent) usually wants to use the publickey for a userauth 'probe' before prompting for the password to actually use the privatekey, and this requires a separate .pub
file except when using OpenSSH's 'new format' keyfile, which is required for Ed25519 since IIRC 6.5, and the default for all keys since 7.8 about a month ago. Since ssh-keygen
doesn't know which you want, it always generates a .pub
file, which does no harm if unneeded -- even if it is not secured, since it is public.