diff --git a/ssh/ssh-proxy.c b/ssh/ssh-proxy.c
index 1e978d9..1c43e92 100644
--- a/ssh/ssh-proxy.c
+++ b/ssh/ssh-proxy.c
@@ -34,6 +34,7 @@
 #include "misc.h"
 #include "myproposal.h"
 #include "readconf.h"
+#include "authfile.h"
 #include "err.h"
 
 struct side {
@@ -66,8 +67,7 @@ int foreground;
 int dump_packets;
 
 #define BUFSZ 16*1024
-char keybuf[BUFSZ];
-char known_keybuf[BUFSZ];
+struct sshkey *hostkey, *known_hostkey;
 
 int
 do_listen(const char *addr, int port)
@@ -249,12 +249,12 @@ connect_cb(int fd, short type, void *arg)
 		error("could init server context: %s", ssh_err(r));
 		goto fail;
 	}
-	if ((r = ssh_add_hostkey(s->client.ssh, keybuf)) != 0) {
+	if ((r = ssh_add_hostkey(s->client.ssh, hostkey)) != 0) {
 		error("could not load server hostkey: %s", ssh_err(r));
 		goto fail;
 	}
-	if ((r = ssh_add_hostkey(s->server.ssh, known_keybuf)) !=  0) {
-		error("could not load client hostkey: %s", ssh_err(r));
+	if ((r = ssh_add_hostkey(s->server.ssh, known_hostkey)) !=  0) {
+		error("could not load client known hostkey: %s", ssh_err(r));
 		goto fail;
 	}
 	event_set(&s->client.input,  s->client.fd, EV_READ, input_cb, s);
@@ -418,7 +418,6 @@ main(int argc, char **argv)
 {
 	int ch, log_stderr = 1, fd;
 	struct event ev;
-	ssize_t len;
 	char *hostkey_file = NULL, *known_hostkey_file = NULL;
 	SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
 	LogLevel log_level = SYSLOG_LEVEL_VERBOSE;
@@ -461,24 +460,12 @@ main(int argc, char **argv)
 		}
 	}
 	log_init(__progname, log_level, log_facility, log_stderr);
-	if (hostkey_file) {
-		if ((fd = open(hostkey_file, O_RDONLY, 0)) < 0)
-			fatal("open: %s %s", hostkey_file, strerror(errno));
-		if ((len = read(fd, keybuf, sizeof(keybuf))) < 0)
-			fatal("read: %s %s", hostkey_file, strerror(errno));
-		keybuf[len] = '\0';
-		debug("hk: read %zd bytes", len);
-		close(fd);
-	}
-	if (known_hostkey_file) {
-		if ((fd = open(known_hostkey_file, O_RDONLY, 0)) < 0)
-			fatal("open: %s %s", hostkey_file, strerror(errno));
-		if ((len = read(fd, known_keybuf, sizeof(known_keybuf))) < 0)
-			fatal("kh: read: %s %s", hostkey_file, strerror(errno));
-		known_keybuf[len] = '\0';
-		debug("kh: read %zd bytes", len);
-		close(fd);
-	}
+	if (hostkey_file &&
+	    (hostkey = key_load_private(hostkey_file, "", NULL)) == NULL)
+		fatal("key_load_private: %s", hostkey_file);
+	if (known_hostkey_file &&
+	    (known_hostkey = key_load_public(known_hostkey_file, NULL)) == NULL)
+		fatal("key_load_public: %s", known_hostkey_file);
 	if (!foreground)
 		daemon(0, 0);
 	event_init();
diff --git a/ssh/ssh_api.c b/ssh/ssh_api.c
index e58f520..281fe57 100644
--- a/ssh/ssh_api.c
+++ b/ssh/ssh_api.c
@@ -104,32 +104,23 @@ ssh_free(struct ssh *ssh)
 
 /* Returns < 0 on error, 0 otherwise */
 int
-ssh_add_hostkey(struct ssh *ssh, char *key)
+ssh_add_hostkey(struct ssh *ssh, struct sshkey *key)
 {
-	struct sshkey *parsed_key = NULL, *pubkey = NULL;
-	struct sshbuf *key_buf = NULL;
+	struct sshkey *pubkey = NULL;
 	struct key_entry *k = NULL, *k_prv = NULL;
 	int r;
 
 	if (ssh->kex->server) {
-		/* Parse private key */
-		if ((key_buf = sshbuf_new()) == NULL)
-			return SSH_ERR_ALLOC_FAIL;
-		if ((r = sshbuf_put(key_buf, key, strlen(key))) != 0)
-			goto out;
-		if ((parsed_key = key_parse_private(key_buf, "hostkey", "",
-		    NULL)) == NULL) {
-			r = SSH_ERR_INVALID_FORMAT;
-			goto out;
-		}
-		if ((r = sshkey_from_private(parsed_key, &pubkey)) != 0)
-			goto out;
+		if ((r = sshkey_from_private(key, &pubkey)) != 0)
+			return r;
 		if ((k = malloc(sizeof(*k))) == NULL ||
 		    (k_prv = malloc(sizeof(*k_prv))) == NULL) {
-			r = SSH_ERR_ALLOC_FAIL;
-			goto out;
+			if (k)
+				free(k);
+			sshkey_free(pubkey);
+			return SSH_ERR_ALLOC_FAIL;
 		}
-		k_prv->key = parsed_key;
+		k_prv->key = key;
 		TAILQ_INSERT_TAIL(&ssh->private_keys, k_prv, next);
 
 		/* add the public key, too */
@@ -137,29 +128,13 @@ ssh_add_hostkey(struct ssh *ssh, char *key)
 		TAILQ_INSERT_TAIL(&ssh->public_keys, k, next);
 		r = 0;
 	} else {
-		/* Parse public key */
-		if ((parsed_key = sshkey_new(KEY_UNSPEC)) == NULL)
+		if ((k = malloc(sizeof(*k))) == NULL)
 			return SSH_ERR_ALLOC_FAIL;
-		if ((r = sshkey_read(parsed_key, &key)) != 0)
-			goto out;
-		if ((k = malloc(sizeof(*k))) == NULL) {
-			r = SSH_ERR_ALLOC_FAIL;
-			goto out;
-		}
-		k->key = parsed_key;
+		k->key = key;
 		TAILQ_INSERT_TAIL(&ssh->public_keys, k, next);
 		r = 0;
 	}
 
-out:
-	if (key_buf)
-		sshbuf_free(key_buf);
-	if (r != 0) {
-		if (parsed_key)
-			sshkey_free(parsed_key);
-		if (k)
-			free(k);
-	}
 	return r;
 }
 
diff --git a/ssh/ssh_api.h b/ssh/ssh_api.h
index 5797006..291b205 100644
--- a/ssh/ssh_api.h
+++ b/ssh/ssh_api.h
@@ -33,14 +33,12 @@ void	ssh_free(struct ssh *);
 /*
  * ssh_add_hostkey() registers a private/public hostkey for an ssh
  * connection.
- * the key needs to be specified as a string in PEM format or OpenSSH
- * public key format.
  * ssh_add_hostkey() needs to be called before a key exchange is
  * initiated with ssh_packet_next().
  * private hostkeys are required if we need to act as a server.
  * public hostkeys are used to verify the servers hostkey.
  */
-int	ssh_add_hostkey(struct ssh *ssh, char *key);
+int	ssh_add_hostkey(struct ssh *ssh, struct sshkey *key);
 
 /*
  * ssh_set_verify_host_key_callback() registers a callback function