364 
Configuring a client's host public key 
In publickey authentication, the server compares the SSH username and the client's host public key 
received from the client with the locally saved SSH username and the client's host public key. If they 
are the same, the server checks the digital signature that the client sends. The client generates the 
digital signature by using the private key that is paired with the client's host public key. 
For publickey authentication, password-publickey authentication, or any authentication, you must 
perform the following tasks: 
1.  Configure the client's DSA, ECDSA, or RSA host public key on the server. 
As a best practice, configure no more than 20 SSH client's host public keys on an SSH server. 
2.  Specify the associated host private key on the client to generate the digital signature. 
If the device acts as an SSH client, specify the public key algorithm on the client. The algorithm 
determines the associated host private key for generating the digital signature. 
You can enter the content of a client's host public key or import the client's host public key from the 
public key file. Import the client's host public key as a best practice. 
Entering a client's host public key 
Before you enter the client's host public key, you must use the display public-key local public 
command on the client to obtain the client's host public key. 
To enter a client's host public key: 
 
Step Command Remarks 
1.  Enter system view. 
system-view 
N/A 
2.  Enter public key view. 
public-key peer
 keyname N/A 
3.  Configure a client's host 
public key. 
Enter the content of the client's 
host public key 
The host public key must be in the 
DER encoding format without 
being converted. 
When you enter the content of a 
client's host public key, you can 
use spaces and carriage returns 
between characters. When you 
save the host public key, spaces 
and carriage returns are removed 
automatically. 
For more information, see 
"Managing public keys." 
4.  Return to system view. 
peer-public-key
 
end
 N/A 
 
Importing a client's host public key from the public key file 
Before you import the host public key, upload the client's public key file (in binary) to the server, for 
example, through FTP or TFTP. During the import process, the server automatically converts the 
host public key in the public key file to a string in PKCS format. 
To import a client's host public key from the public key file: 
 
Step Command 
1.  Enter system view. 
system-view
 
2.  Import a client's public key 
from the public key file. 
public-key peer 
keyname 
import sshkey
 filename