The public key authentication method requires each user to posses a pair of keys, one public and one private. An S- or K-Series device grants access to a specific user by loading the user's public key(s) into a trusted list. Once a public key is configured on a device, any person or device who is in possession of the corresponding private key is "authorized" (authenticated as the owner of the username account).
The S- and K-Series device supports either the explicit configuration of a single authkey public key or the implicit configuration of public keys using PKI and X.509 Certificates (Refer to Public-Key Infrastructure (PKI) Configuration for PKI configuration details).
The authkey method requires that the public key for each user be explicitly configured on the device using the set ssh server authkey command. One key is allowed per user. A drawback of the authkey method is that it is not scalable. Authorization of new users and de-authorization of existing users requires configuration changes on each and every device in the network.
An alternative and scalable method for obtaining a user's public key is to use Public Key Infrastructure (PKI). With PKI, a user's identity and public key are bound together in an X.509 Certificate. These certificates are digitally signed by a Certificate Authority (CA). A device which trusts a CA implicitly trusts all certificates signed by that CA. This allows the management of users to be moved from the devices to a centralized CA.
The set ssh server pki trusted-ca-list command defines the list of CAs which the SSH server will use to verify user certificates. These certificates are provided by the SSH client as part of SSH authentication. This means that once a chain of trusted certificates is configured on the device, any certificate issued by any CA in the chain will also be trusted.
When a user‘s certificate is configured on the device that certificate is said to be explicitly trusted. By design, PKI authentication does not require a user‘s certificate to be configured on the device. However, if desired, you may impose an explicit trust requirement.
Use the set ssh server pki authorized-cert-list command to require a user‘s certificate to be explicitly configured on the device.
If an authorized-cert-list is configured, any certificate presented by a user which is not on this list will be rejected. If the certificate is on the list, then normal PKI authentication will be performed.
If an authorized-cert-list is not configured, then user certificates are only subject to normal PKI verification using the CA certificate trust chain set using the set ssh server pki trusted-ca-list command.
The certificate lists specified for both the server PKI trusted and authorized commands are configured using the set pki certificate command.