|
|
|
|
|
The SSH specification allows for three different kinds of authentication:
The higher security offered by cryptographic-quality keys is offset by additional administrative work. When keys are used, resetting a password is no longer enough to allow access.
In SSH applications, client keys are almost always generated client-side. Because there is no central authority to vouch for SSH keys (if there was, SSH would be SSL), all SSH keys must be individually trusted by both client and server.
MOVEit Transfer supports the use of both DSS and RSA keys. The server key automatically generated by the MOVEit Transfer SSH server is an RSA key; no incompatibilities with any SSH clients regarding this key format have ever been encountered. Client keys may be of either type.
Generating SSH Client Keys
MOVEit Transfer is NOT an SSH client key generator. Almost all modern SSH clients already have a facility to generate client keys and these facilities should be used whenever possible. Some common SSH client's key generation facilities are briefly described below:
If you must generate and distribute SSH client keys, consider using the OpenSSH for Windows toolkit to generate these. See Specific Clients - OpenSSH for Windows for more information about this process.
Associating SSH Client Keys with Users
The facility that associates SSH client keys with specific users on MOVEit Transfer is available as part of the SSH Policy from any (web-based) User Profile. MOVEit Transfer does not store the entire SSH key for a remote client; instead, MOVEit Transfer records the cryptographically unique fingerprint (MD5) of a client key. Either the client or MOVEit Transfer itself can be used to generate and import the necessary fingerprint.
Generating and Importing SSH Client Keys
There are two ways to generate and import an SSH client key for a particular user.
The second option is probably quicker and less error-prone if the end user and administrator are in near-real-time communication with each other.