6.4.6 Public Key Authentication

Public key authentication relies on public/private key pairs. Public key authentication can be used for both server (host) and client (user) authentication. To configure public key authentication for the Secure Shell client, you create (or import) a key pair for your client computer, then upload the public key to your host(s). You can create and manage public keys for client authentication using either the User Keys tab in the Secure Shell Settings dialog box, or the Reflection Key Agent. Depending on how you have configured your key, you may be prompted to enter a passphrase in order to complete a connection using public key authentication.

One form of public key authentication is accomplished using X.509 certificates. Reflection can be configured to authenticate using certificates managed by the Reflection Certificate Manager and/or the Windows Certificate Manager. Public Key authentication must be enabled if you use certificates for authentication.

How Public Key Authentication Works

Public key cryptography uses a mathematical algorithm with a public/private key pair to encrypt and decrypt data. One of the keys is a public key, which can be freely distributed to communicating parties, and the other is a private key, which should be kept secure by the owner of the key. Data encrypted with the private key can be decrypted only with the public key; and data encrypted with the public key can be decrypted only with the private key.

When keys are used for authentication, the party being authenticated creates a digital signature using the private key of a public/private key pair. The recipient must use the corresponding public key to verify the authenticity of the digital signature. This means that the recipient must have a copy of the other party's public key and trust in the authenticity of that key.