Hi @MacFee
When utilizing zssh or tunneling, OpenZiti is only handling the network connectivity portion of SSH. The SSH protocol itself (user authentication, authorized_keys, certificates, etc.) remains unchanged.
In both cases, SSH keys are not managed by OpenZiti. Users still authenticate to the target system using whatever SSH authentication method the server is configured for (public/private keys, SSH certificates, passwords, LDAP, etc.).
So from the SSH server's perspective, it is simply receiving a normal SSH connection that happens to be transported over OpenZiti instead of a traditional TCP/IP network.
If you'd like OpenZiti to participate in the SSH authentication and identity management process as well, take a look at this discussion: