diff --git a/ssh.md b/ssh.md
new file mode 100644
index 0000000..a8ca57f
--- /dev/null
+++ b/ssh.md
@@ -0,0 +1,269 @@
+# ssh
+
+_or, how to tell other computers to do cool things_
+
+---
+
+> all users are required to use an ssh keypair for login, or will be required
+to proceed with manual account recovery with [~spider](/~spider/) or another admin.
+drop a line to [sudoers@tilde.cafe](mailto:sudoers@tilde.cafe) or hop on
+[irc](https://kiwi.tilde.chat/#cafe) for assistance.
+
+## overview
+
+port 22 is available for ssh.
+
+<!-- the primary ip has 80 and 443 in use by nginx. -->
+
+<!-- use ssh.tilde.cafe to reach the secondary ip and use 80 and 443 for ssh. -->
+
+<!-- so, for example, you can do: -->
+
+<!-- ``` -->
+<!-- ssh -p 443 user@ssh.tilde.cafe -->
+<!-- ssh user@tilde.cafe  # this uses port 22, which can be blocked on some networks -->
+<!-- ``` -->
+
+when your account is approved, you will get an email. to login enter this in the terminal:
+
+```
+ssh username@tilde.cafe
+```
+
+tilde.cafe's ssh key fingerprints for your verification:
+
+| Name    |  Fingerprint |
+|---------|--------------|
+| ECDSA   | `SHA256:BTjzIhz+gkmJNVrN7/WOWLqDnnoAzSwDBrw9+QCZdl0` |
+| ED25519 | `SHA256:SbNFbk0qeIio4Aveaf29KNYPkEXmeCE38bXZpAWHI0Y` |
+| RSA     | `SHA256:W0gZf+knAxjfkzppjm93hVzbqk+ZzkO4U56+09HJ3ks` |
+
+the key fingerprints are in dns as sshfp records as well, which you can check
+against by setting `VerifyHostKeyDNS` to `yes` in your `~/.ssh/config`.
+
+you can check the records yourself with the `dig` tool like this:
+
+    dig sshfp tilde.cafe
+
+---
+
+## intro
+
+**if you just want to get right to a tutorial you can [skip over this
+background info](#how-to-make-an-ssh-key)**
+
+while [tilde.cafe](https://tilde.cafe) is accessible on the web and features
+lovely web pages written by its users, most interaction with tilde.cafe takes
+place **inside the machine** that runs tilde.cafe as opposed to via web forms
+that have an effect from **outside** tilde.cafe's computer.
+
+this is what sets tilde.cafe apart from most other online communities. you
+connect directly to another computer from yours alongside other people and then
+write your web pages, chat, and play games all via text-based interfaces right
+on tilde.cafe's computer.
+
+prior to the web (which debuted in 1995) this is how pretty much all computer
+stuff got done. you connected directly to a machine (usually over a direct,
+physical phone line) and did your work there.
+
+for a long time, people used a tool called
+[`telnet`](https://en.wikipedia.org/wiki/telnet) to connect to other computers.
+these days we use a tool called **ssh**.
+
+`ssh` is a text-based tool that provides a direct connection from your computer
+to another. ssh is an acronym that stands for secure shell. the _shell_ part
+refers to the fact that it's a text-based tool; we use the word shell to refer
+to a text-based interface that you give commands to. the _secure_ part refers
+to the fact that, when you're using ssh, no one can spy on your connection to
+another computer (unlike the old `telnet` command).
+
+**why bother with all of this?** passwords are really insecure and hard to manage.
+using keys makes life easier for you, fair user (your account is less likely to
+be hacked) and for me, your humble sysadmin (less administration than passwords).
+
+---
+
+## how to make an ssh key
+
+SSH supports a handful of types of cryptographic keys. The most used are [RSA](
+  <https://en.wikipedia.org/wiki/RSA_(cryptosystem)>) and the more modern [Ed25519](
+    https://en.wikipedia.org/wiki/EdDSA#Ed25519).
+
+RSA is the de-facto standard and is supported everywhere (just choose a big
+enough key like 4096 bits to be secure). Ed25519 is designed to be faster and
+smaller withouth sacrificing security, so is best suited for embedded devices
+or machines with low resources. It's supported on tilde (and really on any
+modern system) but you may find older systems which do not support it.
+
+Below you'll find instructions to generate either type (or both if you want).
+
+Keep in mind that these instructions leave your private keys unencrypted in
+your local hard disk. So keep them private; never share them. A good solution
+is to provide a password for them at creation time, but this implies entering
+a password any time you used them (impractical) or use something like [ssh-agent](
+  https://man.openbsd.org/ssh-agent.1) (a bit more complex)
+
+We don't have documentation for this
+[(yet)](https://tildegit.org/cafe/site/src/branch/main/wiki) so either go with
+no password keys, or ask on IRC ([#cafe](https://web.tilde.chat/?join=cafe))
+for help.
+
+pick your fighter: [[mac](#mac)] | [[windows](#windows)] | [[linux](#linux)]
+
+---
+
+### mac
+
+#### generating your keypair
+
+1. open terminal (it's in `/Applications/Utilities`, or press `command space`,
+   type Terminal and press enter)
+
+1. create your .ssh directory:
+
+```bash
+mkdir -m 700 ~/.ssh
+```
+
+1. create your keys:
+
+```bash
+ssh-keygen -t ed25519 -a 100
+```
+
+1. if you press enter to accept the defaults, your public and private key will
+be located at `~/.ssh/id_ed25519.pub` and `~/.ssh/id_ed25519` respectively
+
+1. `cat ~/.ssh/id_ed25519.pub`
+
+1. copy the output of the last command and paste it in the sshkey field on the
+   signup form (or email it to [the admins](mailto:sudoers@tilde.cafe) if you
+   already have an account)
+
+#### using your keypair
+
+once [~spider](https://tilde.cafe/~spider/) or another admin approves your
+signup, you can join tilde.cafe
+
+1. open terminal (it's in `/Applications/Utilities`)
+
+1. `ssh` to tilde.cafe:
+
+```bash
+ssh username@tilde.cafe
+```
+
+where username is your username (~hedy would use `ssh hedy@tilde.cafe`)
+
+---
+
+### windows
+
+<!-- TODO: Tutorial for openssh like tilde.team has? -->
+<!-- if you're on windows 10 1809 or later then it has openssh built in, so you no longer need to install -->
+<!-- third-party tools. if openssh is not enabled, please see microsoft's -->
+<!-- documentation on [openssh in -->
+<!-- windows](https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview). -->
+
+There are many options for using ssh on windows. If you are on windows 10 1809
+or later then it has openssh built in. Please check out [microsoft's
+documentation on
+openssh](https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview).
+
+If you're on legacy windows or you don't want to use openssh, then continue reading below.
+
+#### generating your keypair
+
+pick any of the following options and follow their installation process. If
+you'd like to use a full Linux terminal environment then pick WSL. If you just
+want a bash shell with great git support, pick Git Bash:
+
+* [Windows Subsystem for Linux](https://docs.microsoft.com/en-us/windows/wsl/install-win10/)
+* [msys2](https://www.msys2.org)
+* [Git Bash](https://git-scm.com)
+
+1. after setting up the terminal from any of the above installation process, open your terminal
+
+1. create your .ssh directory
+
+```bash
+mkdir .ssh
+```
+
+1. create your keypair
+
+```bash
+ssh-keygen -t ed25519 -a 100
+```
+
+1. if you press enter to accept the defaults, your public and private key will
+   be located at `~\.ssh\id_ed25519.pub` and `~\.ssh\id_ed25519` respectively.
+
+1. `cat ~\.ssh\id_ed25519.pub`
+
+1. copy the output of the last command and paste it in the sshkey field on the signup form
+
+#### using your keypair
+
+once [~spider](https://tilde.cafe/~spider/) or another admin approves your
+signup, you can join the tilde.cafe
+
+1. open your terminal which you've setup from the previous steps
+
+1. `ssh` to tilde.cafe:
+
+```bash
+ssh username@tilde.cafe
+```
+
+where username is your username (~hedy would use `ssh hedy@tilde.cafe`)
+
+---
+
+### linux
+
+there are a lot of linux distros, but `ssh` and `ssh-keygen` should be available
+in almost all cases. if they're not, look up how to install ssh for your distro.
+
+#### generating your keypair
+
+1. open your terminal
+
+1. make sure you have a `~/.ssh` directory
+
+```bash
+mkdir -m 700 ~/.ssh
+```
+
+1. create your keys
+
+```bash
+ssh-keygen -t ed25519 -a 100
+```
+
+1. if you press enter to accept the defaults, your public and private key will
+be located at `~/.ssh/id_ed25519.pub` and `~/.ssh/id_ed25519` respectively
+
+1. `cat ~/.ssh/id_ed25519.pub`
+
+1. copy the output of the last command and paste it in the sshkey field on the signup form
+
+#### using your keypair
+
+once [~spider](https://tilde.cafe/~spider/) or another admin approves your signup, you can join the tilde.cafe
+
+1. open your terminal
+
+1. `ssh` to tilde.cafe:
+
+```bash
+ssh username@tilde.cafe
+```
+
+where username is your username (~hedy would use `ssh hedy@tilde.cafe`)
+
+---
+
+this tutorial is based on and uses parts of [the tilde.club ssh
+primer](https://tilde.club/wiki/ssh.html) and [the tilde.team ssh
+guide](https://tilde.team/wiki/ssh).