The SSH specification allows for three different kinds of authentication. The first is standard username and password, which MOVEit DMZ obviously supports. The second is hostname only, which MOVEit DMZ does not support. The third authentication method is username and client key, which MOVEit DMZ also supports as described below.
As is the case with almost any client key/certificate scheme, the higher security offered by cryptographic-quality keys is offset by additional administrative work. Resetting a password is no longer enough to "let someone back in" when keys are used.
In SSH applications, client keys are almost always generated "client side". Because there is no central authority to vouch for SSH keys (if there was, SSH would be SSL), all SSH keys must be individually trusted by both client and server.
MOVEit DMZ supports the use of both DSA and RSA keys. The server key automatically generated by MOVEit DMZ's SSH server is a DSA key; no incompatibilities with any SSH clients regarding this key format have ever been encountered. Client keys may be of either type.
To export MOVEit DMZ's public SSH server key in either OpenSSH or SSH2 format, see the related instructions in the "SSH - Configuration" documentation.
MOVEit DMZ only supports FTP over SSH (or SFTP) and SCP2. SCP (SCP1) and all Terminal sessions will be denied access.
MOVEit DMZ SSH Server uses SSH Protocol 2 only. A client will not be able to connect to the MOVEit DMZ server using only Protocol 1. MOVEit DMZ SSH Server recommends using the following encryption ciphers: AES, 3DES, and Blowfish. (An ever-expanding list of compatible clients and a complete list of encryption options is also included in this documentation.)
If the SSH user is connecting to MOVEit with the correct username but the administrator does not see any "SSH public key" entries in the audit logs, it is likely that the end user has NOT yet generated a public/private key pair for SSH. End users can often use the "ssh-keygen -t rsa" command to generate these keys, but they should be advised to NOT enter a passphrase when prompted during the key generation; if a passphrase is entered it will be asked for during each subsequent attempt to connect and will spoil attempts to automate the process.