Public-key authentication is based on the use of digital signatures and provides very good authentication security. To use public-key authentication, the user must first create a key pair on the client, and upload the public key to the server.
The default directory where Tectia Server stores the users' public keys is
$HOME/.ssh2/authorized_keys on Unix, and
%USERPROFILE%\.ssh2\authorized_keys on Windows. The directory can be changed
authorized-keys-directory attribute in the
ssh-server-config.xml file. See
The user is required to have the
read rights, (and optionally
write rights) to the public-key files and directories, but the locations must
not be accessible to other users. The
read permissions are required for the
key.pub file, the
authorized_keys directory, and
authorization file, if used. The
write permission to
these files are needed if the users are allowed to upload their own keys to the server.
To enable public-key authentication on the server, the
authentication-methods element of the
must contain an
auth-publickey element. For example:
<authentication-methods> <authentication action="allow"> <auth-publickey authorized-keys-directory="%D/.ssh2/authorized_keys" /> ... </authentication> </authentication-methods>
Also other authentication methods can be allowed.
By using selectors, it is possible to allow or require public-key authentication only for a specified group of users. See Using Selectors in Configuration File for more information.
Using the Tectia Server Configuration tool, public-key authentication can be allowed on the Authentication page. See Authentication.