The SSH server provided by MOVEit Transfer allows for either of the SSH Policy Settings listed in the following table. These settings can be found in the organization's SETTINGS > Security Policies - Interface - SSH [Default SSH Policy Settings...] controls.
Table 1. MOVEit Transfer SSH Policy Settings
Authentication Policy Support
Username and password pair. Supported by MOVEit Transfer
Username and client key. Supported by MOVEit Transfer
Username and password pair and client key. Supported by MOVEit Transfer

The higher security offered by cryptographic-quality keys is offset by additional administrative work. For example, when keys are used, resetting a password is no longer enough to recover access.

SSH keys must be individually trusted by both client and server.

Unlike TLS/SSL certificates, there is no third-party authority to vouch for an SSH key.

Generating SSH Client Keys

Most SSH clients can generate client keys locally. Some key generation utilities are:

  • Linux, Unix, Cygwin. Use the ssh-keygen -t rsa command.
  • Windows WS_FTP. From the main menu, select Options | Tools and use the Create... button under the SSH | Client Keys tree.

Associating SSH Client Keys with Users

You can find the WebUI view and controls that associate SSH client keys with specific MOVEit Transfer users under the User Profile's SSH Policy page. MOVEit Transfer needs to store the public SSH key for each trusted user and client it expects to connect.

Generating and Sharing SSH Client Keys

There are two common approaches to generate and share an SSH client key for a particular user.

  • End user generates key, shares key with administrator, and administrator imports key.
  • End user attempts a connection, successfully authenticates with password, and client key is transferred to holding tank and awaits administrator approval.
Tip: The second option is less error-prone, and has a quicker turn-around, particularly if the end-user and administrator are in communication with each other.