Public-key authentication is based on the use of digital signatures and provides very good authentication security.

To use public-key authentication, you must first create a key pair on the client. One of these key files is the your public key, and the other is your secret private key. The server must know the public key, so the public key is uploaded to the server, but the private key is only in your possession.

Figure 4.1. User public-key authentication

When you start logging in to a remote server, the server checks for matching public keys and sends you a challenge. You authenticate yourself by signing the challenge with your private key passphrase.

Remember that your private key file is used to authenticate you. If anyone else can access your private key file, they can attempt to log in to the remote host computer as you. Keep your private key file in a secure place and make sure that no one else has access to it.

	Caution
	Do not use public-key authentication on a client that is shared with other users. Generate keys only on your personal computer that no one else can access!

	Note
	SSH Tectia Server supports also user public keys generated with OpenSSH. SSH Tectia Server can be configured to check the OpenSSH authorized_keys file in addition to the SSH Tectia authorization file and/or the authorized_keys directory. Public keys defined in the SSH Tectia locations have precedence over the keys in the OpenSSH file if the same key is defined in both.

When you start using public-key authentication, do the following:

The instructions assume that the client user is allowed to log in to the Server using password authentication.