Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia

Advantages and Disadvantages of Public-Key Authentication

Public-key authentication with Secure Shell is more secure than password authentication, as it provides much stronger identity checking. An entity must possess both the private key and the correct passphrase to authenticate itself to another entity.

A malicious user would have to obtain the private key of a legitimate user before being able to mount a brute-force or dictionary attack to discover the user's passphrase.

When servers authenticate themselves to users, public-key authentication provides a better guarantee for the user that the server is the server the user intended to connect to. A malicious user cannot pose as a legitimate server without obtaining that server's host key, since the user would otherwise be warned that the host identification had changed.

This highlights another crucial security concern of public-key authentication. The private key file must be secret, and no one else except the owner must gain access to it. This is especially true for the private keys of servers since they typically do not have a passphrase, and anyone with the server's host key pair would be able to pose as that server.

To improve security, the private key can often be stored on a hardware cryptographic device such as a smart card or a USB token. This way, the private key file cannot be accessed by malicious users, even if they were able to gain remote access to the system, since the private key is not stored on the hard drive. See Certificates and Keys on Smart Cards for more information.

In Secure Shell, public-key authentication can be used together with an authentication agent for non-interactive logins (see Authentication Agents and Key Providers). Alternatively, the private key can be stored with an empty passphrase, but this is not recommended as it removes a layer of security.

The added security of public-key authentication comes at the cost of some added work. The user's public key must be distributed to all of the servers that the user wishes to authenticate to. This can be cumbersome in large environments. However, SSH Tectia Manager can be used to ease the distribution.

The following list sums up the advantages and disadvantages of using public-key authentication with SSH Tectia.


  • More secure than passwords: A malicious user must obtain both the private key and the corresponding passphrase to pose as a legitimate user.

    • Provides stronger identity checking through secret private keys.

  • Non-interactive login is possible.


  • If the private keys cannot be protected, security is no better than with password authentication.

  • Not very scalable: Distribution of public keys can be cumbersome in large environments. However, SSH Tectia Manager enables automatic distribution of server host keys.


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more