Public-key authentication is based on the use of digital signatures and provides very good authentication security. To use public-key authentication, the user must first create a key pair on the client, and upload the public key to the server. The default directory for the user's public keys is $HOME/.ssh2/authorized_keys on Unix and %USERPROFILE%\.ssh2\authorized_keys on Windows. The default location can be changed with the authorized-keys-directory attribute in the ssh-server-config.xml file. See auth-publickey.

To enable public-key authentication on the server, the authentication-methods element of the ssh-server-config.xml file must contain an auth-publickey element. For example:

<authentication-methods>
  <authentication action="allow">
    <auth-publickey authorized-keys-directory="%D/.ssh2/authorized_keys" />
    ...
  </authentication>
</authentication-methods>  

Also other authentication methods can be allowed.

By using selectors, it is possible to allow or require public-key authentication only for a specified group of users. See the section called “Selectors” for more information.

On Windows, using the SSH Tectia Server Configuration tool, public-key authentication can be allowed on the Authentication page. See Authentication.