Overview of Public-Key Authentication
Public-key authentication uses a public-private key pair to log in to an SSH2 server . These key pairs are stored in identity files and are created using the Key Generation wizard. One of the identity files contains the private key that is used by SecureFX. The other identity file contains the corresponding public key and will need to be transferred to the proper location on the SSH2 server.
Note: Public keys generated using VanDyke Software products comply with the established IETF draft specification defining the format of Secure Shell public key files. This does not guarantee that SecureFX will work with public key files generated using other Secure Shell software implementations which may or may not comply with this specification.
Since there is no IETF specification defining the format of Secure Shell private key files, SecureFX may not be able to use private key files generated with other implementations. It should also be noted that, since the private key generated by SecureFX uses a different format from OpenSSH's private key, OpenSSH cannot use a VanDyke Software generated private key.
SecureFX supports SSH2 public-private key files generated with VanDyke Software products and the public-private key files generated with the OpenSSH ssh-keygen utility.
Setting up public-key authentication for an SSH2 SecureFX session is a multi-step process:
1. Create public-private key files.
2. Configure SecureFX to use public-key authentication.
3. Configure the server to recognize the public-key file.
Creating Identity Files
Global Identity File
Perform the following steps to create a global identity file.
1. Select Global Options from the Options menu.
2. In the Global Options dialog, select the SSH2 category.
3. In the SSH2 page, click on the Create Identity File... button.
4. Follow the instructions in the Key Generation wizard to create your identity files. Once your public-private key pair has been generated by the Key Generation wizard, you will be prompted for the path and filename in which your identity files will be stored. Be sure to specify a secure location for these files such that you are the only individual with access to them. The public key will be placed in a file with the same name as the private key file, but with an extension of .pub
Note: SecureFX supports RSA, Ed25519, EDSA, and DSA key types.
Session Specific Identity File
Perform the following steps to create a session specific identity file.
1. In the Connect dialog, select the SSH2 session with which you would like to use the identity files.
2. Click the Properties toolbar button to open the Session Options dialog. In the Connection/SSH2 category, select "Public Key" as one of your Authentication methods and click on the associated Properties button.
3. On the Public Key Properties dialog select the Use session identity file box and click on the Create Identity File... button.
4. Follow the instructions in the Key Generation wizard to create your identity files. Once your public-private key pair has been generated by the Key Generation wizard, you will be prompted for the path and filename in which your identity files will be stored. Be sure to specify a secure location for these files such that you are the only individual with access to them. The public key will be placed in a file with the same name as the private key file, but with an extension of .pub.
Note: SecureFX supports both DSA and RSA key types.
Using Your Identity Files
Once you have created your identity files, complete the following steps to make use of your identity files with SecureFX.
1. Configure the SSH2 or OpenSSH server to recognize your public-key file (instructions are provided for SSH Communications and OpenSSH servers).
2. Configure SecureFX to use the identity file with public-key authentication on the local machine.
Configure a VanDyke Software VShell® Server to Recognize Your Public-Key File
In order to use your public key, you must transfer the public-key file created by the Key Generation wizard to the appropriate user's public key folder on the VShell server (for example:
C:\Program Files\VShell\Publickey\<Username>\Identity.pub).
For more details, see Configure VShell to Recognize Your Public-Key File.
Configure an SSH Communications Server to Recognize Your Public-Key File
In order to use your public key you must transfer the public-key file created by the Key Generation wizard to the ~/.ssh2 folder on the SSH2 server. It is recommended that you follow the procedure below to create a copy of the public-key file in the ~/.ssh2 folder on the remote machine.
The procedure outlined here assumes that you have the same account on both the SSH2 server and the FTP server and that they share files. If this is not the case, contact your system administrator for instruction on setting up your public-key files on your SSH2 server.
To configure the SSH2 server to recognize your public-key file:
1. On your local machine, use a text editor to create an empty file named authorization.
2. Connect to the remote server using SSH2 and password authentication.
3. On the server, create a ~/.ssh2 folder if necessary.
4. Using drag-and-drop, transfer the authorization file from the currently selected local window to the ~/.ssh2 folder in the remote window.
5. Using drag-and-drop, transfer the public-key file to the ~/.ssh2 folder.
6. Now add the line Key <identity>.pub to the authorization file (replacing <identity> with the name of your identity file). The following steps outline how to do this in SecureFX.
a. Select the authorization file in the remote window.
b. Right-click on the file and select "Open with..." from the context menu.
c. Select Notepad from the open with dialog.
d. The file will be downloaded to your local computer and Notepad will be opened to edit the file.
e. Add the line Key <identity>.pub to the file, save the change, and exit Notepad.
f. When you exit Notepad, you will be prompted to upload the file. Answer "Yes" so the change will be uploaded to the remote server.
The method described above uses only a single public key in the authorization file. It is possible to have more than one public key in the authorization file. To do this, repeat steps 5 and 6. The names of the public-key files must be unique.
Configure an OpenSSH Server to Recognize Your Public-Key File
In order to use your public key you must transfer the public-key file created by the Key Generation wizard to the ~/.ssh folder on the SSH2 server. It is recommended that you follow the procedure below to create a copy of the public-key file in the ~/.ssh folder on the remote machine.
To configure the OpenSSH server to recognize your public-key file:
1. Connect to the remote server using the SFTP protocol and password authentication.
2. On the server, create a ~/.ssh folder if necessary.
3. Using drag-and-drop, transfer the public-key file to the ~/.ssh folder. Be sure to transfer the file in ASCII mode.
4. Use a terminal emulator, such as SecureCRT, to connect to the remote machine and convert the key to one that OpenSSH will recognize using one of the following commands (be sure to replace <identity> with the name of your identity file):
% ssh-keygen -i -f ~/.ssh/<identity>.pub >> authorized_keys
If you are connecting to a version of OpenSSH that is older than 2.9, use the following command instead:
% ssh-keygen -X -f ~/.ssh/<identity>.pub >> authorized_keys2
5. Ensure that you are the only user with permissions to write to your "authorized_keys" file. This can be done using the following command:
% chmod 600 ~/.ssh/authorized_keys
The method described above uses only a single public key in the authorization file. It is possible to have more than one public key in the "authorized_keys" file. To add additional public keys, repeat steps 3 and 4.
Configure SecureFX to Use Your Identity Files
In order to successfully perform public-key authentication, SecureFX must be configured to use he identity files created earlier. To configure SecureFX to use the identity files:
1. In the Connect dialog, select the SSH2 session with which you would like to use the identity files.
2. Click the Properties toolbar button to open the Session Options dialog.
3. Click on the Connection/SSH2 category, select Public Key as one of the Authentication methods, and click on the associated Properties button.
4. On the Public Key Properties dialog either check the Use global identity file check box, or enter the full path to the session-specific identity file that you want to use. You can also use the browse button to select the identity file.
5. Click on the OK button to save the changes. If you supplied a passphrase when you created your key, you will be prompted to enter it during the connection process.
Related Topics