Secure Shell uses public key cryptography to verify servers (host keys) and, optionally, users (identities) on a network that is assumed to be insecure. Challenges are made using the public key, and only the private key owner can answer the challenge correctly. The price of this security is maintaining a set of secrets (private keys) and identifiers (public keys).

The key pairs come in three forms: RSA pairs labeled RSA1 (Protocol 1 only), RSA pairs labeled RSA (Protocol 2 only), and DSA pairs labeled DSA (Protocol 2 only). The key pairs can range in size from 512 to 8192 bits. The ssh-keygen(1) command generates the key pairs.

While host and user identity key pairs are given different treatment in this book, ...