> ## Documentation Index
> Fetch the complete documentation index at: https://docs.machine0.io/llms.txt
> Use this file to discover all available pages before exploring further.

# SSH

## Default behavior

On first VM creation, the CLI registers your `~/.ssh/id_rsa.pub` and sets it as default. Your private key never leaves your machine.

## Key types

**Public keys** (bring your own) -- machine0 stores only the public half.

**Managed keys** (server-generated) -- the server creates the keypair and returns the private key once. Saved locally with `0600` permissions. Required for MCP [ssh\_exec](/mcp/ssh).

<Warning>
  Managed private keys can only be downloaded once at creation time.
</Warning>

## SSH users

| Image               | Default user |
| ------------------- | ------------ |
| Ubuntu              | `ubuntu`     |
| NixOS (provisioned) | `nix`        |

Root login is disabled. Both users have full sudo.

## In-browser terminal

For VMs created with a **managed key**, the web dashboard offers an in-browser
terminal. Click SSH on any running VM in the dashboard and a full-screen shell
opens at `/machines/<name>/terminal`. The browser connects over WebSocket; the
server uses the managed private key to bridge to the VM's `sshd`. No local
SSH setup needed.

VMs created with a user-provided public key (the default) cannot use the
in-browser terminal — the server does not have the private key. Use
`machine0 ssh <name>` from your local terminal instead.

Sessions stay connected through long-running commands (the server sends a
4-minute keepalive frame) and auto-close after 30 minutes of inactivity.
Destroying the managed key via `machine0 ssh-keys destroy` or the dashboard
terminates any active terminal sessions using that key.

## Commands

See [CLI reference](/cli/keys) for key management commands.