2.12. Authenticating clients using public-key authentication in SSH

Public-key authentication requires a private and a public key (or an X.509 certificate) to be available on PSM. First, the public key of the user is needed to verify the user's identity in the client-side SSH connection: the key presented by the client is compared to the one stored on PSM. PSM uses a private key to authenticate itself to the sever in the server-side connection. PSM can use the private key of the user if it is uploaded to PSM. Alternatively, PSM can generate a new keypair, and use its private key for the server-side authentication, or use agent-forwarding, and authenticate the client with its own key.


If PSM generates the private key for the server-side authentication, then the public part of the keypair must be imported to the server, otherwise the authentication will fail. Alternatively, PSM can upload the public key (or a generated X.509 certificate) into an LDAP database.