diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 5fe9a21..2262f6b 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -75,3 +75,26 @@ deploy:production:
   only:
     - main
   when: manual
+
+
+  ssh:diagnose:
+  stage: deploy
+  image: alpine:3.20
+  script:
+    - apk add --no-cache openssh-client
+    - mkdir -p ~/.ssh && chmod 700 ~/.ssh
+    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_ed25519
+    - chmod 600 ~/.ssh/id_ed25519
+
+    # zeige Fingerprint & public key (sollte zum KAS-Eintrag passen)
+    - echo "Public key derived from private key:"
+    - ssh-keygen -y -f ~/.ssh/id_ed25519 | tee /tmp/ci_pubkey.pub
+    - echo "Fingerprint:"; ssh-keygen -lf ~/.ssh/id_ed25519
+
+    # Hostkey anlernen
+    - ssh-keyscan -H "$DEPLOY_HOST" >> ~/.ssh/known_hosts
+
+    # Sehr ausführlicher Login-Test (ohne Befehl)
+    - echo "Trying SSH with -vvv..."
+    - ssh -vvv -o IdentitiesOnly=yes -o PreferredAuthentications=publickey $DEPLOY_USER@$DEPLOY_HOST 'echo OK'
+  when: manual