Skip to content

Supported SSH Key Formats

This article outlines the SSH key formats supported by the 12Port Platform for authenticating to SSH-enabled hosts. The PAM platform uses SSH keys for two primary purposes:

  1. Remote Access Sessions: To establish secure, interactive sessions with target systems via SSH.
  2. Remote Script Execution: To authenticate against target systems for automated operations such as key rotation, firewall updates, and other administrative tasks.

Understanding the supported SSH key formats is essential for successful configuration and integration of SSH-based access and automation.

Supported SSH Key Algorithms

The 12Port Platform supports the following SSH key algorithms:

  • RSA
    A widely adopted public-key cryptosystem compatible with most SSH servers and clients.
  • ECDSA
    Offers improved performance and smaller key sizes while maintaining strong security, suitable for modern cryptographic use cases.
  • Ed25519
    A high-performance elliptic curve algorithm that provides enhanced security and efficiency. Preferred for new deployments due to its resilience against certain cryptographic attacks.

Supported SSH Key File Formats

The software accepts SSH keys in the following packaging formats:

  • PEM
    A base64-encoded format commonly used for storing RSA and ECDSA private keys, often used in OpenSSL-based tools.
  • OpenSSH
    The default key format used by the OpenSSH suite. It supports RSA, ECDSA, and Ed25519 keys and is compatible with most Unix-like systems.
  • PuTTY (.ppk)
    A proprietary key format used by the PuTTY SSH client on Windows systems. 12Port can import and use .ppk files without requiring conversion.
  • ssh.com
    A legacy SSH key format used by older versions of the SSH Tectia client. Included for compatibility with environments where this format is still in use.

Note: If your SSH key is in an unsupported format, convert it to one of the supported formats (PEM, OpenSSH, PuTTY, or ssh.com) before using it in 12Port. Common tools for conversion include ssh-keygen, PuTTYgen, and OpenSSL.

Passphrase Protection

SSH keys may be:

  • Protected with a Passphrase: Encrypted keys that require a passphrase for use. 12Port supports the use of passphrase-protected keys, and administrators must provide the corresponding passphrase during asset creation.
  • Unprotected (No Passphrase): Keys stored in plaintext for automated use cases. While supported, it is strongly recommended to manage these keys securely using the 12Port credential vaulting and access controls.

Best Practices

  • Use Ed25519 keys for new integrations to leverage stronger security and better performance.
  • Ensure keys are stored securely, regardless of passphrase protection, by leveraging the 12Port built-in credential management capabilities.
  • Where possible, use OpenSSH format keys for the broadest compatibility and ease of management across platforms.

Troubleshooting Tip

If an SSH key fails to authenticate during session initiation or script execution, verify:

  • The key algorithm and file format are among the supported types listed above.
  • The key is correctly associated with the target account in the Asset.
  • If using a passphrase-protected key, ensure the correct passphrase has been stored in the asset.