SSH - Client Keys - Overview

The SSH specification allows for three different kinds of authentication. The first is standard username and password, which MOVEit DMZ obviously supports. The second is hostname only, which MOVEit DMZ does not support. The third authentication method is username and client key, which MOVEit DMZ also supports as described below.

As is the case with almost any client key/certificate scheme, the higher security offered by cryptographic-quality keys is offset by additional administrative work. Resetting a password is no longer enough to "let someone back in" when keys are used.

In SSH applications, client keys are almost always generated client-side. Because there is no central authority to vouch for SSH keys (if there was, SSH would be SSL), all SSH keys must be individually trusted by both client and server.

MOVEit DMZ supports the use of both DSS and RSA keys. The server key automatically generated by MOVEit DMZ's SSH server is an RSA key; no incompatibilities with any SSH clients regarding this key format have ever been encountered. Client keys may be of either type.

Generating SSH Client Keys

MOVEit DMZ is NOT an SSH client key generator. Almost all modern SSH clients already have a facility to generate client keys and these facilities should be used whenever possible. Some common SSH client's key generation facilities are briefly described below:

• *nix, OpenSSH: Use the ssh-keygen -t rsa command.
• Windows WS_FTP 9.0: From the main menu, select Options | Tools and use the Create... button under the SSH | Client Keys tree.

If you must generate and distribute SSH client keys, consider using the OpenSSH for Windows toolkit to generate these. See Specific Clients - OpenSSH for Windows for more information about this process.

Associating SSH Client Keys with Users

The facility which associates SSH client keys with specific users on MOVEit DMZ is available as part of the "SSH Policy" from any (web-based) User Profile. Rather than store the entire SSH key for a remote client, MOVEit DMZ simply records the cryptographically unique fingerprint (MD5) of a client key. Either the client or MOVEit DMZ itself can be used to generate and import the necessary fingerprint.

Generating and Importing SSH Client Keys

There are two ways to generate and import an SSH client key for a particular user.

• End user generates key, administrator imports key or fingerprint.
• End user attempts a connection, administrator accepts cached fingerprint from holding tank.

The second option is probably quicker and less error-prone if the end user and administrator are in near-real-time communication with each other.