SSH

User Authentication with Public Keys

Creating Keys with Public-Key Authentication Wizard
Uploading Public Keys Automatically
Creating and Uploading Keys with the Command Line Tools

Public-key authentication is based on the use of digital signatures and provides very good authentication security.

To use public keys in user authentication, you must first create a key pair on the client. One of the created key files is your public key, and the other is your secret private key.

The security level of the key pair depends on the complexity (or bit length) of the key. Larger keys are more secure, but generating and using them takes a longer time.

[Note]Note

The default RSA key size (3072 bits) provides 128-bit security and default ECDSA key size (384 bits) provides 192-bit security. We do not recommend generating RSA or DSA keys smaller than 2048 bits even for interoperability with 3rd party implementations.

[Note]Note

We recommend you to replace your SSH keys with new ones at a minimum frequency of every two years.

The server must know the user's public key, so you need to upload the public key to the server, but the private key must remain only in your possession.

User public-key authentication

Figure 4.1. User public-key authentication


When you start logging in to a remote server, the client sends a signature to the server, and the server checks for matching public keys. If the key is protected with a passphrase, the client requests you to enter the passphrase.

Remember that your private key is used to authenticate you. Keep your private key in a secure place and make sure that no one else has access to it. If anyone else can access your private key, they can attempt to log in to the remote host computer pretending to be you. Define a passphrase to protect your private key, whenever possible.

[Caution]Caution

Generate keys only on your personal computer that no one else can access! Do not store your private key on a computer that is shared with other users.

When you start using public-key authentication, do the following:

  1. Generate a key pair. You can generate your own key files with the help of a built-in Public-Key Authentication Wizard (see Creating Keys with Public-Key Authentication Wizard), or using the command line tool ssh-keygen-g3 (see Creating and Uploading Keys with the Command Line Tools).

    You can also import existing keys on the Keys and Certificates page of the Tectia Connections Configuration GUI.

  2. Upload your public key to the remote host computer (running Tectia Server) automatically (see Uploading Public Keys Automatically).

[Note]Note

Tectia Server supports also user public keys generated with OpenSSH. Tectia Server can be configured to check the OpenSSH authorized_keys file in addition to the Tectia authorized_keys directory and/or authorization file. Public keys defined in the Tectia locations have precedence over the keys in the OpenSSH file if the same key is defined in both.

These instructions assume that the client user is allowed to log in to the remote host, where Tectia Server is running, using password authentication.