Skip to content

Client Public Key Authentication

Public key authentication relies upon public/private key pairs. To configure public key authentication, each client user needs to create a key pair and upload the public key to the server. If the key is protected by a passphrase, the client user is prompted to enter that passphrase to complete the connection using public key authentication.

Public key pane

From the server console, click Configuration > Authentication > Public Key to configure user authentication using public keys.

Note

Items on this pane can be configured globally or as part of a subconfiguration.

  • Public key authentication

    Choose Allow, Require, or Deny. Allow is the default.

  • Public key storage

    User key directory specifies the directory used for storing user public keys on the server. You can specify any physical directory, or use one of the following pattern strings to specify user-specific directories. For details see Pattern Strings in Directory Paths.

    Caution

    Do not use %u or %U to point to a location within a user's Windows profile folder. Neither of these options works correctly for this purpose. Use these options to create your own user-specific locations in some other location, for example on a shared network file server.

    Authorization file name is the name of the file in the user key directory that contains a list of public keys that can be used for user authentication. The default name is authorization.

  • Size

    • Public key minimum length (bits) - Specifies the minimum allowable key size. The default is 512. Allowed values are 512-8192.

    • Public key maximum length (bits) - Specifies the maximum allowable key size. The default is 8192. Allowed values are 512-8192.

  • Retries

    Number of public key attempts - Specifies the maximum number of attempts the server accepts for public key authentication. Once this number is reached, further attempts to authenticate using a public key are rejected, but the connection is not broken. This allows the client to attempt authentication using the next allowed method. The default is 100.

More information