SECSH defines an authentication mechanism that is based on public
keys, but does not define any mechanism for key distribution. No
common key management solution exists in current implementations.
This document describes a protocol that can be used to configure
public keys in an implementation-independent fashion, allowing client
software to take on the burden of this configuration.
This protocol is intended to be used from the Secure Shell Connection
Protocol [4] as a subsystem, as described in the Section "Starting a
Shell or a Command". The subsystem name used with this protocol is
"publickey".
The public-key subsystem provides a server-independent mechanism for
clients to add public keys, remove public keys, and list the current
public keys known by the server. Rights to manage public keys are
specific and limited to the authenticated user.
A public key may also be associated with various restrictions,
including a mandatory command or subsystem.