Secure Shell

Use the Secure Shell panel to manage the public and private keys needed for secure shell (SSH) connections.

Known Hosts List

The known hosts list contains the public keys of hosts that the terminal emulator can connect to using secure shell. When an SSH connection is negotiated, the client authenticates the host against a list of known hosts.

The table displays the hosts that are known by the Management and Security Server. These hosts can be used by all clients, similar to the default user key pair.

To add a host to the list of known hosts, import a file that contains the host's public key.

  1. In the /etc/ssh directory, locate the file that contains the public key, such as ssh_host_<algorithm>

    The format of the file can be OpenSSH, Base64 encoded.DER, or .PFX.

  2. Add hostname,ip if the file does not already contain that information.

    That is, be sure the file contains hostname,ip algorithm key. For example:

    mySSHhost, ssh-rsa AAAAB3NzaB1yc2EAAAABIwAAAIEA0WR3aIRtilXquUmXtxw5oi3rMkhY9jw/lV03WvUNvSb/xQnIfoMeserY5DfU8+eqUPzLX0efJMik22VFAzFo+ZCOnlHbj39yNi2a1/7dAJYECaHo7pxhILHAZxXbwOpWSms3aaccWOOEA+Fyzv8DpppQ9WrpD/fWVvXWNGR22sU=
  3. On the Secure Shell panel, under Known Hosts List, click +IMPORT.

  4. Click Upload. Select the file containing the public key to upload to the MSS Server.

  5. Enter the required information:

    Public key file password: if required.

    Host name: as specified in the public key file. The name you enter must exactly match the hostname in the public key. For example, if the hostname in the key is, and you enter hostname, the import will not work.

    Host IP address: as specified in the public key file, if present. If there is no IP address in the public key file, leave this field blank.

  6. Click IMPORT.

This host now displays in the Known Hosts List.

Shared User Key Pair

A user key pair is a public and private key used to authenticate a web-based client to a secure shell host. Although each typically has unique keys, a key pair can be shared among users.

To share a user key pair, choose one of these methods:


The generated user key pair will be stored on the Management and Security Server and automatically deployed to Reflection for the Web clients.

To generate a key pair, enter the required information:

  • Key algorithm: RSA (the default) or DSA

  • Encryption key length: the size of the public and private keys. Longer keys are more secure but may take more time to generate.

When you click APPLY, the key pair is created in the MSSData/trustedcerts folder as sshclient.bcfks, and the details are displayed in this panel.


A public key and its associated private key pair can be imported from a local workstation.

To import a key pair to the Management and Security Server:

  1. Click UPLOAD. Select the file containing the key pair to upload to the MSS Server.

  2. If the keys are in OpenSSH format files, upload the public key first, followed by the private key. The public key must have the same name as the private key and a .pub extension.

  3. If the keys are in a .PFX format file, upload that one file.

  4. Enter the Password that protects the private key. If the file is not protected, leave this field blank.

  5. If the file contains multiple certificates, enter the Friendly name of the one associated with the desired key pair. Otherwise, leave this field blank.

  6. Click IMPORT. The key pair file is created in the MSSData/trustedcerts folder, and the details are displayed on this panel,


You can export the shared user public key or key pair to an OpenSSH or secssh format file.

  1. Specify a file name for export; for example, id_rsa. The public key is written to a file with this name and a .pub extension. When selected for export, the private key is written to this file.

    The file or files are packaged in a zip file and downloaded to your browser.

  2. Check or enter the required information:

    • Export the private key with the public key - otherwise, only the public key is exported.

    • Key file name - a name for the file that will be created by the export operation.

      Enter the name for the private key (the file name with no extension) even if you are exporting only the public key.

    • Private key passphrase (optional) - if you are exporting the private key, you can protect it with a password you enter here.


      The password does not apply to the public key.

Shared User Key Pair Details

  • Public Key Algorithm - the algorithm used to generate the host's key pair.

  • Public Key Fingerprint (SHA-1) - A message digest of the public key made using the SHA-1 algorithm. The fingerprint can be used by a client to validate the public key.

  • Public Key Fingerprint (MD5) - A message digest of the public key made using the MD-5 algorithm.