diff --git a/scripts/ssh-server-check.sh b/scripts/ssh-server-check.sh
new file mode 100755
index 0000000..3beb684
--- /dev/null
+++ b/scripts/ssh-server-check.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env sh
+
+ssh_config_val() {
+    local field="$1"
+    local val
+
+    if [[ -z "$field" ]]; then
+        echo "usage: ssh_config_val <config name>" >&2
+        return 2
+    fi
+
+    echo $(sshd -T | grep -i "^$field " | head -1 | awk '{print $2}')
+}
+
+check_ssh_files() {
+    printf "%-6s %-20s %-6s %s\n" "STATUS" "KEY" "PERMS" "PATH"
+    for key in hostkey hostcertificate trustedusercakeys; do
+        path=$(ssh_config_val "$key")
+        if [[ -z "$path" ]]; then
+            printf "%-7s %-20s %-6s %s\n" "⚠️" "$key" "-" "(not configured)"
+            continue
+        fi
+
+        if [[ -e "$path" ]]; then
+            perms=$(stat -c '%a' "$path")
+            printf "%-7s %-20s %-6s %s\n" "✅" "$key" "$perms" "$path"
+        else
+            printf "%-7s %-20s %-6s %s\n" "❌" "$key" "-" "$path (missing)"
+        fi
+    done
+}