Authentication
Configure host-key trust, choose an auth method, and understand the supported key formats.
This section covers the main authentication and trust workflows supported by Traversio:
- password authentication
- keyboard-interactive authentication through async callbacks
- Ed25519, RSA, and ECDSA public-key authentication from raw private-key bytes, OpenSSH private keys, or OpenSSL-style PEM keys
- OpenSSH private-key metadata inspection for labels, fingerprints, and import diagnostics
- SSH agent-backed public-key signing through
SSHAgentClient - OpenSSH-compatible key generation for the same key families
- explicit host-key trust policy selection on every connection
Use these pages to choose a trust policy, select an auth method, and confirm the limits of each path.
Security Boundary
Host-key trust is always explicit. Traversio does not fall back to accepting an unknown host key if known_hosts, TOFU, pinning, or a callback policy cannot prove trust.
Legacy ssh-rsa stays disabled unless SSHLegacyAlgorithmOptions.sshRSA is enabled for the connection or jump-host hop. That switch covers built-in RSA private keys, callback-backed public-key auth, and SSH-agent-backed auth.
That switch controls the SSH algorithm named ssh-rsa; it does not control private-key file parsing. Use SSHAuthenticationMethod.privateKeyPEM(...) when an app should accept OpenSSH private-key PEM, unencrypted PKCS#8 PRIVATE KEY PEM for Ed25519/RSA/ECDSA, traditional RSA PRIVATE KEY PEM with or without a supported OpenSSL legacy passphrase, or unencrypted traditional EC PRIVATE KEY PEM text.
Unsupported auth modes such as hostbased authentication and security-key authentication are not attempted automatically. They are not part of the current public API.