Add the ECDSA algorithms (remove any key sizes you do not wish to allow) to the list of
auth-publickey signature-algorithms (within the
<authentication-methods> element) in your
<auth-publickey signature-algorithms="ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, \ ecdsa-sha2-nistp521,ssh-dss,ssh-rsa,email@example.com, \ firstname.lastname@example.org,x509v3-sign-dss,x509v3-sign-rsa, \ email@example.com, firstname.lastname@example.org"> <key-selection policy="automatic"> </key-selection> </auth-publickey>
To enable ECDSA keys for X.509, add also the following to the
Create the ECDSA user key with ssh-keygen-g3. For more information on ssh-keygen-g3, refer to the Tectia Client User Manual.
Use ssh-keygen-g3 with
ecdsa. Once generated, the resulting
.pub file should be uploaded to the target server.
Do this under the correct user account. The example below is using the root user.
[root@host ~]# ssh-keygen-g3 -t ecdsa Generating 256 bits ECDSA key on nistp256 curve Key generated. 256-bit ecdsa, email@example.com, Mon Aug 24 2015 09:57:24 -0400 Passphrase : Again : Key is stored with NULL passphrase... ... Private key saved to /root/.ssh2/id_ecdsa_256_a Public key saved to /root/.ssh2/id_ecdsa_256_a.pub