Public-key authentication is based on the use of digital signatures and provides very good authentication security. To use public-key authentication, the user must first create a key pair on the client, and upload the public key to the server.
The default directory where SSH Tectia Server stores the users' public keys is
$HOME/.ssh2/authorized_keys on Unix, and
%USERPROFILE%\.ssh2\authorized_keys on Windows. The directory can be changed with the
authorized-keys-directory attribute in the
ssh-server-config.xml file. See auth-publickey.
The user is required to have the
read rights, (and optionally the
write rights) to the public-key files and directories, but the locations must not be accessible to other users. These user-specific rights are required for the
key.pub file, the
authorized_keys directory, and to the
authorization file, if used.
To enable public-key authentication on the server, the
authentication-methods element of the
ssh-server-config.xml file must contain an
auth-publickey element. For example:
<authentication-methods> <authentication action="allow"> <auth-publickey authorized-keys-directory="%D/.ssh2/authorized_keys" /> ... </authentication> </authentication-methods>
Also other authentication methods can be allowed.
By using selectors, it is possible to allow or require public-key authentication only for a specified group of users. See Using Selectors in Configuration File for more information.
On Windows, using the SSH Tectia Server Configuration tool, public-key authentication can be allowed on the Authentication page. See Authentication.
SSH Tectia Server 4.x (and earlier) required an authorization file that listed the user public keys that are authorized for login. Using the authorization file with SSH Tectia Server 5.0 and later is optional. If the file does not exist, SSH Tectia Server looks for authorized public keys in the
authorized-keys-directory (as described in User Authentication with Public Keys above), and if that fails, in the default directory for user public-keys.
The default location for the authorization file is
$HOME/.ssh2/authorization on Unix, and
%USERPROFILE%\.ssh2\authorization on Windows. The file location can be changed with the authorization-file attribute in the
ssh-server-config.xml file. See auth-publickey.
The authorization file contains a list of public key filenames each preceded by the keyword
Key. If there is more than one
Key, they are all authorized for login. For more information on the syntax of the authorization file, see
$HOME/.ssh2/authorization (user-specific) under the section called “Files”.
SSH Tectia Client on Windows can upload the public keys and edit the authorization file automatically.
SSH Tectia Server supports also user public keys generated with OpenSSH. The OpenSSH keys can be configured the same way as described above for keys generated with SSH Tectia Client.
Alternatively, the OpenSSH-style authorized keys file can be specified in the
ssh-server-config.xml file by using the
openssh-authorized-keys-file attribute. See auth-publickey. An example configuration is shown below:
<authentication-methods> <authentication action="allow"> <auth-publickey authorization-file="%D/.ssh2/authorization" openssh-authorized-keys-file="%D/.ssh/authorized_keys" /> ... </authentication> </authentication-methods>
SSH Tectia Server checks the file defined in
openssh-authorized-keys-file if it cannot find a matching key in the SSH Tectia
authorization-file or the
authorized-keys-directory. Public keys defined in the SSH Tectia locations have precedence over the keys in the OpenSSH file if the same key is defined in both.
On the SSH Tectia Server for Windows, the recommended location for public keys is the
%USERPROFILE%\.ssh2 directory. This location reflects the standard Unix usage and works with the default settings of SSH Tectia Client automatic key upload, and the user's profile directory always has the appropriate access permissions (set by the operating system during the account creation).
The user configuration directory can be changed on the General page of the SSH Tectia Server Configuration tool. See General.
If users need to manage their public keys themselves, the administrator should inform the users about the location of the user configuration directory. Otherwise, the administrator has to place the user's public keys in the proper directory.
SSH Tectia Client uses SFTP for the automatic uploading of the public key. It will not succeed if the user configuration directory has been set to a location that is not under the user's SFTP home directory. By default, both directories are under
If you want to enable automatic public-key upload for the users, change both the user configuration directory and the SFTP user home directory to point to the same directory. See SFTP.
For example, set
D:\SFTP\%username% as the SFTP user home directory and
D:\SFTP\%username%\.ssh2 as the user configuration directory.
See also the general considerations on user name handling in User Logon Rights on Windows.