User Keys (Secure Shell Settings)

Use the User Keys section under the User Authentication option of the Secure Shell Settings dialog box to create and manage the keys that authenticate your client session to the host.

Reflection maintains a list of available user keys. To specify which key or keys you want Reflection to use for authentication to the current host, select one or more check boxes in the Use column (or enable Use all keys for authenticating to the host).

The list of keys includes:

  • Keys you have created using the User Key Generation dialog box.

  • Keys you have added using the Import button.

  • Keys you have copied manually to the Secure Shell folder.

  • Keys and certificates in the Key Agent.

  • User and Authentication Agent keys copied during migration of F-Secure settings.

  • Certificates in the Windows Certificate Manager in your personal store.

  • Certificates in the Reflection Certificate Manager in your personal store.

The following key management tools are also available:

User keys

Select keys to use for authenticating to the host:

Generate ( )

Opens the User Key Generation dialog box, which you can use to configure a public/private key pair for user key authentication.

View ( )

Displays the contents of the selected key or certificate.

Upload ( )

Upload a public key to the currently specified host. The utility automatically detects the host type and uploads the key by default using appropriate settings for this host. After the secure connection to the host has been established, a dialog box appears, displaying information about where on the host to upload the key. In most cases you do not need to change these settings.

If the host or key type determined by the utility is incorrect, you can configure host-specific values for key uploads by setting the ServerKeyFormat and ServerStyle keywords in the Secure Shell configuration file.

The public key is transferred using the secure SFTP protocol. You will need the ability to use password authentication (or another authentication method) in order to upload the public key. Once the public key is successfully uploaded, you may disable other authentication methods.

Import ( )

Add a private key to the list of available keys. You can use this feature to provide easy access to keys created using other applications. Importing a key copies it to the Secure Shell folder.

Export ( )

Export a public key or public/private key pair.

Delete ( )

Deletes the selected key.

Change Passphrase ( )

Change the passphrase used to protect the selected key.

Add to Key Agent ( )

Adds the selected key to the Key Agent. If you have not yet started the Key Agent for the first time, or if the Key Agent is locked, you will be prompted to enter the Key Agent passphrase. In addition, you will be prompted to enter the private key's passphrase before the key can be added to the agent.

Authentication options

Use all keys for authenticating to the host

When this option is selected, the client attempts to authenticate with all the listed keys, regardless of whether or not the Use checkbox is selected.

Prefer SSH key signature over certificate signature

This setting determines the order in which the client presents certificate signature types to the server during public key authentication. When this setting is selected (the default), the client sends the key using a standard ssh key signature first (ssh-rsa or ssh-dss). If that fails, the client tries again using a certificate signature (x509-sign-rsa or x509-sign-dss).

When this option is cleared, the client presents the certificate signature first. This can be useful in situations where the certificate key type is required and the server doesn't allow the client to attempt a second authentication using the same key with a different signature type.

Key agent

Allow Agent Forwarding

Enables forwarding of the Key Agent connection. Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's Unix-domain socket) can access the local agent through the forwarded connection. Attackers cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.

Add key used for authenticating to host to key agent

This setting is available when Allow agent forwarding is enabled. When it is selected and public key authentication to the server is successful, the key or certificate that was used for authentication is automatically added to the Key Agent. This key is not saved in the Key Agent, but remains available as long as the Key Agent is running.

Launch Key Agent

Launches the Key Agent.