Configuring a user for SSH Public Key Authentication
Configuring an SSH user for public key authentication requires both a public SSH key and a private SSH key (also known as an SSH key pair). We recommend the client create their own SSH2 key pair and then send the public key to the server administrator.
The key strength should be at least 2048 bits for RSA or DSA keys. The next few sections describe two approaches to SSH key creation, and how to assign the created public key to an account in Cerberus FTP Server.
Method 1: Client creates the SSH public and private key
The recommended method of key creation and distribution is for the client to create the SSH key pair. The client will give the SSH public key to the Cerberus FTP Server administrator while keeping the secret private key for their SFTP client. The server administrator can then assign the public key to the user’s account. This approach ensures that the client is the only entity to ever possess the private key, and removes the need to securely deliver the private key to the client.
The public key is the only file the Cerberus administrator needs, and the public key file’s contents do not need to be kept secret.
The file can be sent unencrypted from the client to the administrator.
Many SFTP clients already have utilities build in to create an SSH2 key pair but if your client does not have one they can download a free utility like PuttyGen to create one on their machine.
Method 2: Server Administrator creates the SSH public and private key
You can also have the server administrator create and deliver the key pair for the client. However, with this approach, the administrator now has the task of securely sending the private key to the client.
The private key must be kept a secret, and only the client should ever have access to the private key file.
Adding the SSH public key to the user’s account in Cerberus FTP Server
The final step in configuring a user for public key authentication is assigning the client’s public key to the user account in Cerberus FTP Server.
The procedure for configuring a user for SSH Public Key Authentication in Cerberus FTP Server is:
- Open the Cerberus FTP Server User Manager. The default page is the
- Select the user account that you wish to configure from the Cerberus Users account list.
- Select the Authentication button.
- Select the Public Key Only, Public Key and Password or Password or Public Key radio option. The Key Path edit box and file selection button will become visible/enabled.
- Select the folder button next to the Key Path edit box. A file selection dialog box will appear.
- Select the public key file you wish to use for the selected user. Press
Open button to select the file.
- Press the Update User button on the Change Authentication Requirements to save the new SSH authentication settings.
The client should now be able to connect to Cerberus FTP Server and perform public key authentication. The client will have to assign and use the SSH private key in their SFTP
Multiple SSH Keys per Authenticated User
A single user can authenticate with more than one different SSH client key. This allows interactive or automated processes that share a common username and sign-on from several different machines to enjoy the benefits of multi-factor authentication without the hassle of key replication and coordination. You can assign multiple SSH public keys to a user account by putting each key in the same file. Each public key must be on a new line.