SSH Tectia

User Authentication with Public Keys

Public-key authentication is based on the use of digital signatures and provides very good authentication security.

To be able to use public keys in user authentication, you must first create a key pair on the client. One of the created key files is your public key, and the other is your secret private key.

The security level of the key pair depends on the complexity (or bit length) of the key. Larger keys are more secure, but generating and using them takes a longer time.

[Note]Note

The default size (2048 bits) of public-key pairs generated using SSH Tectia Client is very secure. Never generate keys smaller than 768 bits.

The server must know the user's public key, so you need to upload the public key to the server, but the private key is only in your possession.

User public-key authentication

Figure 4.1. User public-key authentication

When you start logging in to a remote server, the client sends a signature to the server, and the server checks for matching public keys. If the key is protected with a passphrase, the server requests you to enter the passphrase.

Remember that your private-key file is used to authenticate you. Keep your private-key file in a secure place and make sure that no one else has access to it. If anyone else can access your private-key file, they can attempt to log in to the remote host computer pretending to be you. Define a passphrase to protect your private key, whenever possible.

[Caution]Caution

Generate keys only on your personal computer that no one else can access! Do not store your private key on a computer that is shared with other users.

When you start using public-key authentication, do the following actions:

  1. Generate a key pair with command-line tool ssh-keygen-g3 (see Creating Keys with ssh-keygen-g3).

  2. Upload your public key manually to the remote host computer running SSH Tectia Server, (see Uploading Public Key Manually).

[Note]Note

SSH Tectia Server supports also user public keys generated with OpenSSH. SSH Tectia Server can be configured to check the OpenSSH authorized_keys file in addition to the SSH Tectia authorization file and/or the authorized_keys directory. Public keys defined in the SSH Tectia locations have precedence over the keys in the OpenSSH file if the same key is defined in both.

These instructions assume that the client user is allowed to log in to the remote host, where SSH Tectia Server is running, using password authentication.