Secure Shell (SSH) is a cryptographic protocol that securely transports data over an unsecured network (see RFC 4253).
The term ssh-keys usually refers to a cryptographic public/private key pair, which is used to authenticate a user through asymmetrical encrpytion or that is used to prove authenticity of the host by means of digital signatures.
Public key cryptography (asymmetrical cryptography), is any cryptographic system which uses pairs of keys: public keys which may be distributed widely, and private keys which are known only to the owner.
The hallmark feature of this methodis the use of asymmetric key algorithms, where the key used by to perform encryption is not the same as the key used by in decryption.
So, any person can encrypt a message using the receiver's public key. That message can then only be decrypted with the receiver's private key.
When used for authentication, the host key verifies a holder of the paired private key by sening a him message encrypted by the owner's public key. Only the holder of the paired (and secret) private key can decrypt the message (which was encrypted with the associated public key). Thus who ever is able to send back the decrypted messages proves that he owns the associated private key.
Typically the following asymmetric encryption methods used for public/private key exchange:
Currently (as of 2018), best practise is the use of ED22519 or 4096 bit RSA or keys.
This will provide the user with a pair of files, e.g. id_rsa and id_rsa.pub. The pub file will then be added to the ssh server, while the private file remains in a folder on the user's computer (under linux this file will get file system permissions that makes it only accessible by the owner, e.g. chmod 600 id_rsa).
In order to be used for authentification, the public key part (e.g. id_rsa.pub) needs to be put in a special file in the user's home folder on the host, so that the ssh-server can use it to verify the login (in order to to this, you need to login using a different authentication method, e.g. password).
With ZOC this can be done on a Unix/Linux host using the following sequence of commands:
rz (or upload the id_dsa.pub file via SCP from ZOC's Transfer-menu)
cat id_dsa.pub >>authorized_keys