The list of paths to trusted SSH key files controls the public / private key authentication that SFTP allows for. If set, we will assume the user will attempt [SSH public key based authentication|https://www.ssh.com/academy/ssh/public-key-authentication], if no password is supplied at login time. In real-life use case the client end generates the key pair, supplies server side \\
the public key that the server admin will apply on their user account. Server side has no knowledge of the matching private key, that would be the end client's own secret.\\

[{Image src='ssh_keys1.jpg' width='1920' height='..' align='left' style='..' class='..' }]\\
\\
!!Allowed values for the input field:\\
__.__ a single or multiple file paths pointing to individual public key files, like /c:/sshkeys/test.pub. This option is to be used when setting up individual user accounts with SSH public keys\\
\\
__.__ a directory path pointing to a directory that contains the user public keys, the key files inside must have their filename stem part matching the user name, we then load these automatically. This option is to be used when assigning the setting by inheritance on the __default__ user, local group template\\
accounts or LDAP plugin Role template or any integration plugin's global template. For example, a domain user named __johndoe@intranet.local__ will associate with a key file named __johndoe.pub__ (part of user name and key file name stem matches from left to right starting with the \\
leftmost character)\\
\\
__.__ the content of the public key file itself\\
\\
!!Supported key file type and format:\\
__The key file container__ must be plain text with __PEM__ encoded SSH public key in __SSHv2__, __openssh.com__ or __putty__ format. The older SSHv1 format is not supported.\\
\\
__Supported SSH key algorithms__ in CrushFTP v10 are __SSH2-RSA__, __DSA__ (obsolete), __ECDSA__ and __ED25519__. The older SSH1 RSA algorithm is not supported.\\
\\
__Key size:__ For RSA keys, the minimum size is 1024 bits and the default is 2048 bits . Generally, 2048 bits is considered sufficient, though these can be as large as 8192 bits (slow). DSA keys must be exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys either 256, 384 or 521 bits. Ed25519 keys have a fixed length.
\\
----
!Require public key and password for authentication:
This option will enforce two factor private key + password authentication for SFTP.
\\
----
!!Generating the key pair:
__OS X or Linux__\\
\\
Generate a key pair by issuing this command in a Terminal window:

{{{ssh-keygen -b 2048 -t rsa -N "" -f /somefolderpath/johndoe.key
}}}

Take the resulting public key and point CrushFTP to it as described above.

__Windows__

Windows PowerShell now includes an [openSSH stack|https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse], can use the same __ssh-keygen__ tool as above.\\
\\
If you are unsure of how to generate a public / private key pair for your SFTP client, you may want to take a look at [puttygen|http://the.earth.li/~sgtatham/putty/latest/x86/puttygen.exe] for Windows to generate the keys.\\
\\
[{Image src='ssh_keys2.jpg' width='80%' height='..' align='left' style='..' class='..' }]\\
\\
CrushFTP can use the public key file you generate.\\