SFTP Gateway Support

3.0

Generating a Public Key from a Private Key

Overview

In some cases, you may already have a private key but need to generate its corresponding public key. For example: The private key was generated by the SFTP client, but the public key was not saved.h You need to verify that a private key matches a specific public key. You want to ensure that only the SFTP user has access to the private key, and the sysadmin only has the public key.

Generating a Public Key from a Private Key

On Linux/macOS (Using OpenSSH)

  1. Ensure OpenSSH is installed:

OpenSSH is typically pre-installed on Linux and macOS. If not, install it using your package manager:

apt-get install openssh-client
  1. Generate the public key:

Use the ssh-keygen command to extract the public key from the private key. Replace key.pem with the path to your private key file.

ssh-keygen -y -f key.pem > key.pub
  • -y: Indicates that you want to extract the public key.
  • -f key.pem: Specifies the path to the private key file.
  • > key.pub: Saves the output (public key) to a file named key.pub.
  1. Verify the public key:

The contents of key.pub will look something like this:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArV1...

This is the public key that you can share with the sysadmin to configure on the SFTP server.

On Windows (Using OpenSSH in PowerShell)

  1. Install OpenSSH:

OpenSSH is available in Windows 10 and later. To install it:

  • Open Settings > Apps > Optional Features > Add a Feature.
  • Search for "OpenSSH Client" and install it.
  1. Generate the public key

Open PowerShell and run the following command:

ssh-keygen -y -f C:\path\to\key.pem > C:\path\to\key.pub

Replace C:\path\to\key.pem with the path to your private key file and C:\path\to\key.pub with the desired output path for the public key.

  1. Verify the public key:

Open the key.pub file in a text editor to view the public key.

Verifying That a Private Key Matches a Public Key

To ensure that a private key matches a specific public key, follow these steps:

  1. Generate the public key from the private key (as shown above).
  2. Compare the generated public key with the existing public key.
    • If the two keys match, the private key corresponds to the public key.

Best Practices for Key-Based Authentication

  1. Generate the key pair on the client side:

    • The SFTP user should generate the key pair to ensure that the private key never leaves their system.

  2. Share only the public key:

    • The sftp user should send the public key to the sysadmin for configuration on the server. The private key should never be shared or transmitted over email

  3. Share only the public key:

    • The SFTP user should send the public key to the sysadmin for configuration on the server. The private key should never be shared or transmitted over email.

  4. Secure the private key:

    • Store the private key in a secure location with restricted access. Use a passphrase to encrypt the private key for added security.

  5. Use strong key types:

    • Use modern key types like ed25519 or RSA 4096-bit for better security.

Example Workflow

  1. The SFTP user generates a key pair:
ssh-keygen -t ed25519 -f ~/.ssh/sftp_key

This creates sftp_key (private key) and sftp_key.pub (public key).

  1. The user shares the public key (sftp_key.pub) with the sysadmin.
  2. The sysadmin configures the public key on the SFTP server for the user's account.
  3. The user connects to the SFTP server using their private key:
sftp -i ~/.ssh/sftp_key user@hostname

Troubleshooting

  • "Invalid format" error: Ensure the private key is in the correct format (e.g., PEM for RSA keys).
  • Permission issues: On Linux/macOS, ensure the private key file has the correct permissions (chmod 600 key.pem).
  • OpenSSH not found: Install OpenSSH on your system if it is not already available.
PreviousNext