diff --git a/src/main.rs b/src/main.rs
index bac9aaa..2d4af06 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,44 +1,44 @@
 use skynet_ldap_backend::{
-  db_init, get_config,
-  methods::{account_new, account_recover, account_update, account_ssh},
-  State,
+    db_init, get_config,
+    methods::{account_new, account_recover, account_update, account_ssh},
+    State,
 };
 
 #[async_std::main]
 async fn main() -> tide::Result<()> {
-  let config = get_config();
-  let db = db_init(&config).await?;
+    let config = get_config();
+    let db = db_init(&config).await?;
 
-  let host_port = config.host_port.clone();
+    let host_port = config.host_port.clone();
 
-  tide::log::start();
+    tide::log::start();
 
-  let state = State {
-    db,
-    config,
-  };
+    let state = State {
+        db,
+        config,
+    };
 
-  let mut app = tide::with_state(state);
+    let mut app = tide::with_state(state);
 
-  // for users to update their own profile
-  app.at("/ldap/update").post(account_update::submit);
+    // for users to update their own profile
+    app.at("/ldap/update").post(account_update::submit);
 
-  // for new users
-  app.at("/ldap/new/email").post(account_new::email::submit);
-  app.at("/ldap/new/account").post(account_new::account::submit);
+    // for new users
+    app.at("/ldap/new/email").post(account_new::email::submit);
+    app.at("/ldap/new/account").post(account_new::account::submit);
 
-  // for folks who forget password/username
-  app.at("/ldap/recover/password").post(account_recover::password::reset);
-  app.at("/ldap/recover/password/auth").post(account_recover::password::auth);
-  app.at("/ldap/recover/username").post(account_recover::username::submit);
-  app.at("/ldap/recover/ssh/request").post(account_recover::ssh::request);
-  app.at("/ldap/recover/ssh/verify").post(account_recover::ssh::verify);
+    // for folks who forget password/username
+    app.at("/ldap/recover/password").post(account_recover::password::reset);
+    app.at("/ldap/recover/password/auth").post(account_recover::password::auth);
+    app.at("/ldap/recover/username").post(account_recover::username::submit);
+    app.at("/ldap/recover/ssh/request").post(account_recover::ssh::request);
+    app.at("/ldap/recover/ssh/verify").post(account_recover::ssh::verify);
 
-  //for getting current ssh keys associated with the account
-  app.at("/ldap/ssh").post(account_ssh::get_ssh_keys);
-  //app.at("/ldap/ssh").delete(account_ssh::remove_key);
-  //app.at("/ldap/ssh/add").post(account_ssh::add_ssh_key);
+    //for getting current ssh keys associated with the account
+    app.at("/ldap/ssh").post(account_ssh::get_ssh_keys);
+    app.at("/ldap/ssh").delete(account_ssh::remove_ssh_key);
+    app.at("/ldap/ssh/add").post(account_ssh::add_ssh_key);
 
-  app.listen(host_port).await?;
-  Ok(())
+    app.listen(host_port).await?;
+    Ok(())
 }
diff --git a/src/methods/account_ssh.rs b/src/methods/account_ssh.rs
index c115c2f..d3735a0 100644
--- a/src/methods/account_ssh.rs
+++ b/src/methods/account_ssh.rs
@@ -1,47 +1,123 @@
-use crate::{methods::account_new::email::get_wolves_mail, update_group, Accounts, Config, State};
-use ldap3::{exop::PasswordModify, LdapConn, LdapResult, Mod, ResultEntry, Scope, SearchEntry};
+use std::collections::HashSet;
+use crate::{State, LdapAuthResult, LdapAuth};
+use ldap3::{LdapConn, Mod, Scope, SearchEntry};
 use tide::{
-    prelude::{json, Deserialize, Serialize},
+    prelude::{json, Deserialize},
     Request,
 };
 
 #[derive(Debug, Deserialize)]
-pub struct User {
-    user: String,
-    pass: String,
+pub struct SSHKey {
+    auth: LdapAuth,
+    key: String,
+}
+
+pub async fn add_ssh_key(mut req: Request<State>) -> tide::Result {
+    let SSHKey {
+        auth,
+        key,
+    } = req.body_json().await?;
+
+    let config = &req.state().config;
+
+    let mut ldap = LdapConn::new(&config.ldap_host)?;
+
+    let dn = format!("uid={},ou=users,dc=skynet,dc=ie", auth.user);
+    ldap.simple_bind(&dn, &auth.pass)?.success()?;
+
+    let LdapAuthResult {
+        mut ldap,
+        dn,
+        is_skynet_user: _,
+    } = match crate::auth_user(&auth, config).await {
+        None => return Ok(json!({"result": "error", "error": "Failed to authenticate"}).into()),
+        Some(x) => x,
+    };
+
+    let mods = vec![
+        Mod::Add("sshPublicKey".to_string(), HashSet::from([key])),
+    ];
+    match ldap.modify(&dn, mods) {
+        Ok(_) => {
+            ldap.unbind()?;
+            Ok(json!({"result": "success"}).into())
+        }
+        Err(e) => {
+            dbg!(e);
+            ldap.unbind()?;
+            Ok(json!({"result": "error", "error": "Failed to add key"}).into())
+        }
+    }
+}
+
+pub async fn remove_ssh_key(mut req: Request<State>) -> tide::Result {
+    let SSHKey {
+        auth,
+        key,
+    } = req.body_json().await?;
+    let config = &req.state().config;
+    let mut ldap = LdapConn::new(&config.ldap_host)?;
+    let dn = format!("uid={},ou=users,dc=skynet,dc=ie", auth.user);
+
+    match ldap.simple_bind(&dn, &auth.pass) {
+        Ok(_) => {}
+        Err(e) => {
+            dbg!(e);
+            return Ok(json!({"result": "error", "error": "Failed to bind"}).into());
+        }
+    }
+
+    let LdapAuthResult {
+        mut ldap,
+        dn,
+        is_skynet_user: _
+    } = match crate::auth_user(&auth, config).await {
+        None => return Ok(json!({"result": "error", "error": "Failed to authenticate"}).into()),
+        Some(x) => x,
+    };
+
+    let mods = vec![
+        Mod::Delete("sshPublicKey".to_string(), HashSet::from([key])),
+    ];
+
+    match ldap.modify(&dn, mods) {
+        Ok(_) => {
+            ldap.unbind()?;
+            Ok(json!({"result": "success"}).into())
+        }
+        Err(e) => {
+            dbg!(e);
+            ldap.unbind()?;
+            Ok(json!({"result": "error", "error": "Failed to remove key"}).into())
+        }
+    }
 }
 
 pub async fn get_ssh_keys(mut req: Request<State>) -> tide::Result {
-    let User {
+    let LdapAuth {
         user,
         pass
     } = req.body_json().await?;
     let config = &req.state().config;
 
-    // easier to give each request its own connection
     let mut ldap = LdapConn::new(&config.ldap_host)?;
 
     let dn = format!("uid={},ou=users,dc=skynet,dc=ie", user);
     ldap.simple_bind(&dn, &pass)?.success()?;
 
-    // always assume insecure
-    let mut is_skynet_user = false;
-
-    // get the users current password hash
-    let (rs, _res) = ldap.search(&dn, Scope::Base, "(objectClass=*)", vec!["userPassword", "memberOf"])?.success()?;
-    if !rs.is_empty() {
-        let tmp = SearchEntry::construct(rs[0].clone());
-        if tmp.attrs.contains_key("memberOf") {
-            for group in tmp.attrs["memberOf"].clone() {
-                if group.contains("skynet-users") {
-                    is_skynet_user = true;
-                }
-            }
+    let LdapAuthResult {
+        mut ldap,
+        dn,
+        is_skynet_user: _,
+    } = match crate::auth_user(&LdapAuth { user, pass }, config).await {
+        None => return Ok(json!({"result": "error", "error": "Failed to authenticate"}).into()),
+        Some(x) => if x.is_skynet_user {
+            x
+        } else {
+            return Ok(json!({"result": "error", "error": "Not a skynet user"}).into());
         }
-    }
-    if !is_skynet_user {
-        return Ok(json!({"result": "error", "error": "Invalid username or password"}).into())
-    }
+    };
+
 
     let mut keys: Vec<String> = vec![];
     let (rs, _res) = ldap.search(&dn, Scope::Base, "(objectClass=*)", vec!["sshPublicKey"])?.success()?;