SSH - Client Keys - Overview
- Last Updated: July 29, 2025
- 2 minute read
- MOVEit Transfer
- Version 2022
- Documentation
The SSH specification allows for three different kinds of authentication:
- Standard username and password. (supported by MOVEit Transfer)
- Hostname only (not supported by MOVEit Transfer)
- Username and client key (supported by MOVEit Transfer).
The higher security offered by cryptographic-quality keys is offset by additional administrative work. When keys are used, resetting a password is no longer enough to allow access.
In SSH applications, client keys are almost always generated client-side. Because there is no central authority to vouch for SSH keys (if there was, SSH would be SSL), all SSH keys must be individually trusted by both client and server.
The server key automatically generated by the MOVEit Transfer SSH server is an RSA key; no incompatibilities with any SSH clients regarding this key format have been encountered.
Generating SSH Client Keys
MOVEit Transfer is NOT an SSH client key generator. Almost all modern SSH clients already have a facility to generate client keys and these facilities should be used whenever possible. Some common SSH client's key generation facilities are briefly described below:
- *nix, OpenSSH: Use the ssh-keygen -t rsa command.
- Windows WS_FTP 9.0: From the main menu, select Options | Tools and use the Create... button under the SSH | Client Keys tree.
If you must generate and distribute SSH client keys, consider using the OpenSSH for Windows toolkit to generate these. See Specific Clients - OpenSSH for Windows for more information about this process.
Associating SSH Client Keys with Users
The facility that associates SSH client keys with specific users on MOVEit Transfer is available as part of the SSH Policy from any (web-based) User Profile. MOVEit Transfer does not store the entire SSH key for a remote client; instead, MOVEit Transfer records the cryptographically unique fingerprint (MD5) of a client key. Either the client or MOVEit Transfer itself can be used to generate and import the necessary fingerprint.
Generating and Importing SSH Client Keys
There are two ways to generate and import an SSH client key for a particular user.
- End user generates key, administrator imports key or fingerprint.
- End user attempts a connection, administrator accepts cached fingerprint from holding tank.
The second option is probably quicker and less error-prone if the end user and administrator are in near-real-time communication with each other.