SSH

Creating Keys with Public-Key Authentication Wizard

On Windows, you can use the Tectia Public-Key Authentication Wizard to generate a key pair. The wizard will generate two key files, your private key and your public key, and store them in the %APPDATA%\SSH\UserKeys directory on your local computer. The public key has .pub as the file extension, and the private key file has the same base file name as the public key but no file extension.

Public key pairs can also be generated with the command line tool ssh-keygen-g3. For instructions, see Client User Manual .

  1. Open the Tectia Connections Configuration GUI by clicking the Tectia icon in the Windows taskbar notification area or on the Tectia Client toolbar.

  2. Go to User Authentication and select the Keys and Certificates page. Click New key.

    Tectia Connections Configuration GUI, Keys and Certificates view

    Figure 4.2. Tectia Connections Configuration GUI, Keys and Certificates view


  3. The Public-Key Authentication Wizard starts.

    The Public-Key Authentication Wizard

    Figure 4.3. The Public-Key Authentication Wizard


  4. Define the key properties and the required passphrase to protect your key pair.

    File Name

    Type a unique name for the key file. The wizard suggests a name consisting of your user name and the host name.

    Comment

    Write a short comment that describes the key pair. For example, describe the connection the key is used for. The wizard suggests a comment consisting of the key length and type, your user name and the host name, and the current date and time. This field is not obligatory, but it helps to identify the key later.

    Passphrase

    Type a phrase that is difficult to guess. Use ideally at least 20 characters, both letters and numbers. Any punctuation characters can be used as well. While the passphrase or private key is never sent over the network, a dictionary attack can be used against a private key if it is accessible locally. For ease of use, an authentication agent is recommended instead of leaving the passphrase empty. By default ssh-broker-g3 functions as an authentication agent.

    [Note]Note

    In FIPS mode, due to a FIPS regulation which forbids exporting unencrypted private keys out of the FIPS module, it is not possible to generate user keys without a passphrase.

    If the key pair will be used for automated jobs, you can leave the passphrase field empty to generate the key without a passphrase.

    You will be requested to enter the passphrase always when using the keys to authenticate yourself. The passphrase works in a way similar to a password and gives some protection for your private key.

    Memorize the passphrase carefully, and do not write it down.

    Retype passphrase

    Type the passphrase again. This ensures that you have not made a typing error.

  5. Click the Advanced Options if you want to define the type and/or length of the key to be generated to be different from the defaults. By default, Tectia Client generates a pair of 3072-bit RSA keys.

    In the Key Properties area, you can define the following:

    Key Type

    Select the type of the key to be generated. Available options are Ed25519, RSA, ECDSA and DSA.

    [Note]Note

    In FIPS mode (conforming to FIPS 186-5) RSA, ECDSA and Ed25519 are supported. DSA has been deprecated.

    Key Length

    Select the length (complexity) of the key to be generated. Available options are:

    • DSA/RSA keys: 2048, 3072, 4096, 5120, 6144, 7168, 8192 bits

    • ECDSA keys: 256, 384, 521 bits

    • Ed25519 keys: 256 bits

    Larger keys of the same key type are more secure, but also slower to generate. A 256-bit ECDSA key and a 3072-bit RSA key provide equivalent security.

  6. Click Next to proceed to uploading the key. The wizard continues with Step 3 in Uploading Public Keys Automatically.

Uploading existing public keys to new remote servers is instructed in Uploading Public Keys Automatically.