The public-key authentication method works only with local accounts and domain accounts on domain controllers (there is no distinction between local and domain accounts on domain controllers). This is due to the Windows security subsystem's dependency on the presence of a password: only restricted functionality can be achieved without one, especially when accessing networked or encrypted resources.
Additional restrictions in SSH sessions authenticated with a public-key:
- Account credentials cannot be delegated over the network on the remote machine. For example, network drives and remote services (like remote registry) cannot be accessed without explicitly authenticating on the target machine using a password.
- Encrypted resources (like files, private keys, etc.) cannot be accessed.
Keyboard-interactive authentication is required only if RSA SecurID is to be used for two-factor authentication, otherwise it falls back to a simple password authentication. If RSA SecurID is used, there can be several challenges after the password part (like PIN code updates, waiting for the next passcode, etc.).
- The Manage Keys button only appears on the preferences page if the logged on user could actually use public-key authentication in an SSH session.
- When using keyboard-interactive authentication, the username must be entered in the format DOMAIN\username.