Public-key authentication is based on the use of digital signatures and provides very good authentication security. To use public-key authentication, the user must first create a key pair on the client, and upload the public key to the server.
The default directory where SSH Tectia Server stores the users' public keys is
$HOME/.ssh2/authorized_keys on Unix, and
%USERPROFILE%\.ssh2\authorized_keys on Windows. The directory
can be changed with the
attribute in the
ssh-server-config.xml file. See auth-publickey.
The user is required to have the
read rights, (and optionally the
write rights) to the public-key files and directories, but the locations
must not be accessible to other users. These
user-specific rights are required for the
authorized_keys directory, and to the
authorization file, if used.
To enable public-key authentication on the server, the
authentication-methods element of the
ssh-server-config.xml file must contain an
auth-publickey element. For example:
<authentication-methods> <authentication action="allow"> <auth-publickey authorized-keys-directory="%D/.ssh2/authorized_keys" /> ... </authentication> </authentication-methods>
Also other authentication methods can be allowed.
By using selectors, it is possible to allow or require public-key authentication only for a specified group of users. See Using Selectors in Configuration File for more information.
On Windows, using the SSH Tectia Server Configuration tool, public-key authentication can be allowed on the Authentication page. See Authentication.
SSH Tectia Server 4.x (and earlier) required an authorization file that listed the
user public keys that are authorized for login. Using the authorization file
with SSH Tectia Server 5.0 and later is optional. If the file does not exist, SSH Tectia Server looks for
authorized public keys in the
described in User Authentication with Public Keys above), and if that fails, in the
default directory for user public-keys.
The default location for the authorization file is
$HOME/.ssh2/authorization on Unix, and
%USERPROFILE%\.ssh2\authorization on Windows. The file
location can be changed with the authorization-file
attribute in the
The authorization file contains a list of public key filenames each
preceded by the keyword
Key. If there is more than one
Key, they are all authorized for login. For more
information on the syntax of the authorization file,
$HOME/.ssh2/authorization (user-specific) under
the section called “Files”.
SSH Tectia Client on Windows can upload the public keys and edit the authorization file automatically.
SSH Tectia Server supports also user public keys generated with OpenSSH. The OpenSSH keys can be configured the same way as described above for keys generated with SSH Tectia Client.
Alternatively, the OpenSSH-style authorized keys file can
be specified in the
ssh-server-config.xml file by using the
An example configuration is shown below:
<authentication-methods> <authentication action="allow"> <auth-publickey authorization-file="%D/.ssh2/authorization" openssh-authorized-keys-file="%D/.ssh/authorized_keys" /> ... </authentication> </authentication-methods>
SSH Tectia Server checks the file defined in
if it cannot find a matching key in the SSH Tectia
authorization-file or the
authorized-keys-directory. Public keys defined in the SSH Tectia
locations have precedence over the keys in the OpenSSH file if the same key
is defined in both.
On the SSH Tectia Server for Windows, the recommended location for public keys is the
%USERPROFILE%\.ssh2 directory. This location reflects the
standard Unix usage and works with the default settings of SSH Tectia Client automatic
key upload, and the user's profile directory always has the appropriate access
permissions (set by the operating system during the account
The user configuration directory can be changed on the General page of the SSH Tectia Server Configuration tool. See General.
If users need to manage their public keys themselves, the administrator should inform the users about the location of the user configuration directory. Otherwise, the administrator has to place the user's public keys in the proper directory.
SSH Tectia Client uses SFTP for the automatic uploading of the public key.
It will not succeed if the user configuration directory has been set to a
location that is not under the user's SFTP home directory. By default, both
directories are under
If you want to enable automatic public-key upload for the users, change both the user configuration directory and the SFTP user home directory to point to the same directory. See SFTP.
For example, set
D:\SFTP\%username% as the SFTP user home
D:\SFTP\%username%\.ssh2 as the user configuration
See also the general considerations on user name handling in User Logon Rights on Windows.