An SSH key pair is a combination of a public key file and a private key file. You can think of the public key as a lock on a door and the private key as the key that fits that lock.
By default, SFTP Gateway disables password authentication and uses SSH key pairs as the primary authentication method because they are more secure then passwords.
There are a number of different types of ssh keys. SFTP Gateway will generate a 2048 bit RSA key when generating new key pairs for users.
The public key is stored on the server and is used by the OpenSSH sshd service to authenticate the user when they attempt to connect to the server.
The sshd service will check in the /home/username/.ssh/authorized_keys file, which is a list of all public keys that are associated with that user, for the public key that matches the private key provided by the user in the connection. If the public key and private key match, and are associated with the user that is attempting to login, then the user is authenticated and authorized to access the server.
A user’s authorized keys file can have multiple entries of public keys that each pair with there own private key. This allows a user to have multiple private keys that they can use to connect to the server. This also allows for 3rd party programs, infrastructure, or multiple users to connect to the same user account.
Entries in the authorized keys file need to be in the OpenSSH format. The OpenSSH format appears as a single key per line in 3 segments, each separated by a single white space character. Segment 1 is the key type. There are many key types but the most common one and the one that SFTP Gateway generates by default is RSA. Segment 2 is the encoded key. This is a long string of randomized characters. This is what is compared to the private key in the authentication process. Segment 3 is an optional comment. This can be a name, email, or other string that just allows you to easily identify which private key correspondences to that public key. The following, below the line, is an example of what an authorized keys file would look like.
keyType encodedKey comment(optional)
ssh-rsa AAAAB3NzaC1yc2EAAA... jimsKey
ssh-rsa AAAAB3NFv9yCFYVt8M... bobsKey
Since SFTP Gateway uses a standard installation of OpenSSH that, comes with Linux, for all of the SSH and SFTP connections, all public keys must in the OpenSSH format as shown above. However, some keys may be generated in other formats such as SSH2 and will need to be converted. Below is an example of an SSH2 format key that comes from Putty keygen, which is used in the Windows environment.
---- BEGIN SSH2 PUBLIC KEY ----
---- END SSH2 PUBLIC KEY ----
Converting a public key
Since SFTP Gateway does not recognize the SSH2 format, the public key will have to be converted to OpenSSH format.
- If you are in a Linux/Unix environment, you can convert the key to OpenSSH format by saving the key as a plain text
file. Then running the command
ssh-keygen -i -f ssh2.pub > openssh.pub. This will create the file openssh.pub that contains the OpenSSH formatted public key:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAwTIdI+GVvOkEtn0yVIYU7GaVRW5FVoBzGuzaoNpbDItBtEGBJdmL6x4hNswRqPjOxrp7+bDNlGV+jsyy8G GQzJ90CuHkdVEAsceNPxjZ6sChd94mc9re46ofrWjMpaIGHPWyBxnYMfXI0hm47LNUDD1C67x6E1aKJs52B6XNiCSQOueo6zA+UlEBeizm8U0HcJ+4Ri49 tGmz6gMIdB8PcJmohVVZP4ACI35RfByMNAPlFQDmxGFDIPyROF/VqVkE7g1PB0COL8kuNgoWT5Xh9wxr/bK1Hyh5aYEDOugsWMJoGA46Sz9Oi0fU5lDbG3 3TTTzXCCrFhzKt8NbOhPL9Bw==
- If you are in a Windows environment and using PuTTY keygen, you can load the key and there will be a box at the top
that will have an OpenSSH formatted key for copy and pasting.
The private key is housed on the user's computer. The private key can be further secured by applying an access password to the key, that must be provided before the key can be used in a connection attempt.
The user will provide the private key in the connection to the SFTP Gateway server:
sftp -i path/to/private.key <username>@<server_ip_address>
The private key will look like this. It must contain the line “-----BEGIN RSA PRIVATE KEY-----” at the top, the line “-----END RSA PRIVATE KEY-----” at the bottom, and each line of the encoded key must be 64 characters long. If you open the key in a text editor and it is not formatted like this, it will not be recognized as a valid key.
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
Note: Since SFTP Gateway generates new keys in a Linux environment, keys that are downloaded on a Windows machine may be jumbled on one line since Windows does not recognize the Linux new line character. To fix this open the key in a plain text editor and insert new lines at the appropriate places