Public-Key Authentication for SSH2

SecureCRT


Overview of Public-Key Authentication

Public-key authentication uses a public-private key pair A pair of keys used with RSA or DSA authentication. The public key is usually kept in a file named Identity.pub, which is then transferred to the remote SSH server and appended to the user's authorized_keys file. Another file usually named identity contains both the public key and the corresponding private key. This file is kept on the local machine and is used by SecureCRT with public key or RSA authentication methods. to log onto an SSH2 server A computer program that provides services to other computer programs (called clients). Often the computer on which a server program runs is also called a server. The term host is often used as a synonym for server. . Setting up public-key authentication The process of verifying that an individual truly is who he or she claims to be. Supplying a password is a very common method of authentication. The most secure method of authentication supported in SecureCRT is public-key authentication. See also: identity file, public-private key pair. for an SSH2 The second version of the SSH protocol which provides a way to encrypt network traffic between a client and a server, with a slightly different set of security features than the SSH1 protocol provides. SecureCRT session A session is a set of options that are assigned to a connection to a remote machine. These settings and options are saved under a session name and allow the user to have different preferences for different hosts. is a multi-step process. Identity files must be created using the Key Generation wizard. One of the identity files created by the Key Generation wizard will contain a private key that will be assigned either on a global level for all SSH2 sessions or on a session-specific level. The global or session-specific characteristic of the private key is specified in the SSH2 category. The other identity file Identity files are two files containing the public-private key pair used to connect to an SSH server using RSA or DSA authentication. The Identity file contains the public and private key pair and is used by SecureCRT. The Identity.pub file contains only the public key which is usually appended to the authorized_keys file. created by the Key Generation wizard will contain the corresponding public key and will need to be transferred to the proper location on the SSH2 server.

Note: Public keys generated using VanDyke Software products comply with the established IETF draft specification defining the format of Secure Shell public key files. This does not guarantee that SecureCRT will work with public key files generated using other Secure Shell software implementations which may or may not comply with this specification.

Since there is no IETF specification defining the format of Secure Shell private key files, SecureCRT may not be able to use private key files generated with other implementations. It should also be noted that, since the private key generated by SecureCRT uses a different format from OpenSSH's private key, OpenSSH cannot use a VanDyke Software generated private key.

SecureCRT supports SSH2 public-private key files generated with VanDyke Software products and the public-private key files generated with the OpenSSH ssh-keygen utility.

Creating Global Identity Files

1.   Open the Global Options dialog and click on the SSH2 category

2.   Click on the Create Identity File button.

3.   Follow the instructions in the Key Generation wizard to create your identity files. The Key Generation wizard will ask for a passphrase, but the passphrase is not required. If the public key is going to be used as part of an automated process, you may not want to use a passphrase.

4.   Once your public-private key pair has been generated by the Key Generation wizard, you will be prompted for the path and filename in which your identity files will be stored. Be sure to specify a secure location for these files such that you are the only individual with access to them. The public key will be placed in a file with the same name as the private key file, but with an extension of .pub.

Note: SecureCRT supports both DSA and RSA key types.

Creating Session-Specific Identity Files

1.   In the Connect dialog, select the SSH2 session with which you would like to use the identity files.

2.   Open the Session Options dialog

3.   In the Authentication group, set one of your authentication methods to be PublicKey and click on the associated Properties button.

4.   In the Public Key Properties dialog, click on the Create Identity File button.

5.   Follow the instructions in the Key Generation wizard to create your identity files. The Key Generation wizard will ask for a passphrase, but the passphrase is not required. If the public key is going to be used as part of an automated process, you may not want to use a passphrase.

6.   Once your public-private key pair has been generated by the Key Generation wizard, you will be prompted for the path and filename in which your identity files will be stored. Be sure to specify a secure location for these files such that you are the only individual with access to them. The public key will be placed in a file with the same name as the private key file, but with an extension of .pub.

Using Your Identity Files

Once you have created your identity files, there are several steps that will need to be completed so that you can make use of them with SecureCRT. The necessary steps are:

1.   Configure the SSH2 server to recognize your public-key file (e.g., Identity.pub). Instructions are provided for configuring VanDyke Software's VShell® server, OpenSSH, SSH Communications, and Data Fellows servers.

2.   Configure SecureCRT to use the identity file with public-key authentication on the local machine. The identity file created by the Key Generation wizard contains both your new public key and your new private key. To configure SecureCRT to use the identity file complete the following instructions:

a.   In the Connect dialog, select the SSH2 session with which you would like to use the identity file.

b.   Open the Session Options dialog and in the Connection/SSH2 category, change the Authentication setting from Password to PublicKey.

c.   If you have more than one identity file, you may need to click on the Properties button and verify that the session is using the session-specific key you have created.

d.   Click on the OK button to save the changes. If you supplied a passphrase A password used to protect a private key from unauthorized use. It is recommended that a passphrase be assigned to all private keys to prevent unauthorized use, especially in environments where multiple individuals have access to the machine on which the private key files are stored. When using public-key authentication, a private key with an assigned passphrase will not be available if the correct passphrase is not supplied during the authentication process. when you created your key, you will be prompted to enter it during the connection process.