Public-key authentication is based on the use of digital signatures and provides very good authentication security. To use public-key authentication, the user must first create a key pair on the client, and upload the public key to the server.
The default directory where SSH Tectia Server stores the users' public keys is
$HOME/.ssh2/authorized_keys
on Unix, and
%USERPROFILE%\.ssh2\authorized_keys
on Windows. The directory
can be changed with the authorized-keys-directory
attribute in the ssh-server-config.xml
file. See auth-publickey.
The user is required to have the read
rights, (and
optionally the write
rights) to the public-key files and
directories, but the locations must not be accessible to other users. The
read
permissions are required for the
key.pub
file, the authorized_keys
directory, and to the authorization
file, if used.
The write
permission to these files are needed if the users
are allowed to upload their own keys to the server.
To enable public-key authentication on the server, the
authentication-methods
element of the
ssh-server-config.xml
file must contain an
auth-publickey
element. For example:
<authentication-methods> <authentication action="allow"> <auth-publickey authorized-keys-directory="%D/.ssh2/authorized_keys" /> ... </authentication> </authentication-methods>
Also other authentication methods can be allowed.
By using selectors, it is possible to allow or require public-key authentication only for a specified group of users. See Using Selectors in Configuration File for more information.
Using the SSH Tectia Server Configuration tool, public-key authentication can be allowed on the Authentication page. See Authentication.