Configuring a user for SSH Public Key Authentication
Configuring an SSH user for public-key authentication requires both a public SSH key and a private SSH key (also known as an SSH key pair). We recommend the client create their own SSH2 key pair and then send the public key to the server administrator.
The key strength should be at least 2048 bits for RSA or DSA keys. The next few sections describe two approaches to SSH key creation, and how to assign the created public key to an account in Cerberus FTP Server.
Method 1: The client creates the SSH public and private key
The recommended method of key creation and distribution is for the client to create the SSH key pair. The client will give the SSH public key to the Cerberus FTP Server administrator while keeping the secret private key for their SFTP client. The server administrator can then assign the public key to the user’s account.
This approach ensures that the client is the only entity to ever possess the private key, and removes the need to securely deliver the private key to the client.
The public key is the only file the Cerberus administrator needs, and the public key file’s contents do not need to be kept secret. The file can be sent unencrypted from the client to the administrator.
Many SFTP clients already have utilities built in to create an SSH2 key pair but if your client does not have one they can download a free utility like PuttyGen to create one on their machine. If you have FIPS 140-2 enabled, be sure that you are using PuttyGen .76 or higher. For more information on this, please refer to this support article.
Method 2: Server Administrator creates the SSH public and private key
You can also have the server administrator create and deliver the key pair for the client. However, with this approach, the administrator now has the task of securely sending the private key to the client.
The private key must be kept a secret, and only the client should ever have access to the private key file.
Adding the SSH public key to the user’s account in Cerberus FTP Server
The final step in configuring a user for public-key authentication is assigning the client’s public key to the user account in Cerberus FTP Server.
The procedure for configuring a user for SSH Public Key Authentication in Cerberus FTP Server is:
- Open the Cerberus FTP Server User Manager. The default page is the
- Select the user account that you wish to configure from the Cerberus Users account list.
- Select the Authentication button.
- Select the Public Key Only, Public Key, and Password or Password or Public Key radio option. The Key Path edit box and file selection button will become visible/enabled.
- You have the option to upload a key file, enter a new key file, edit a key file (if one exists) or test your key(s) next to the Key Path box.
- If you choose to upload a key file, you will be presented with the option to upload the public key for the user. This dialog box allows administrators to directly upload the public key to Cerberus. Select the public key file you wish to use for the selected user. Press
Upload button to select the file.
7. If you choose to create a Public Key, you will be presented with an editor dialogue where you can type or copy and paste the contents of the key into Cerberus FTP Server. Pressing save will create a new public key for the user.
8. If you already have a public key uploaded for a user, you can use the edit option to add an additional public key for a user. The public keys must be in the same format when adding them. Cerberus will ensure the file contains valid public key data before allowing you to save edited contents of the public key.
9. Press the Update User button on the Change Authentication Requirements to save the new SSH authentication settings.
The client should now be able to connect to Cerberus FTP Server and perform public-key authentication. The client will have to assign and use the SSH private key in their SFTP client.
Multiple SSH Keys per Authenticated User
A single user can authenticate with more than one different SSH client key. This allows interactive or automated processes that share a common username and sign on from several different machines to enjoy the benefits of multi-factor authentication without the hassle of key replication and coordination. You can assign multiple SSH public keys to a user account by putting each key in the same file.
You can use a text editor like notepad to copy and paste the contents into a single file. Additionally, you can use the edit public key option if you already have a public key uploaded for a user. This will allow you to add another public key. Each public key must be on a new line. The public keys must be in the same format when adding them to a single file. When complete, save the new key file you just created.
Please sign in to leave a comment.