SFTP Authentication

Author: Conrad Chung, 2BrightSparks Pte. Ltd.

This article discusses the basics of what SFTP is and the various authenticating methods in which a user can use to connect to an SFTP server (depending on how the server is set up). In addition, we will be discussing how a connecting client can check to ensure the SFTP server is authentic.

To transfer files securely using SFTP, you will need to use a client that supports the Secure Shell (SSH) protocol, like the backup & synchronization program - SyncBackPro. Note that SyncBackFree and SyncBackSE do not support SFTP, and while SyncBackSE supports the FTPS protocol, it is unrelated to SFTP.

SSH in SFTP Servers is an encrypted network protocol that uses public key cryptography to create a more secure method to authenticate a client’s identity and rights to access a server.

In SSH, there are two sets of public/private key pairs (or four keys), which are:

  • User (Client) Public Key
  • User (Client) Private Key
  • Host (Server) Public Key
  • Host (Server) Private Key
The user’s Public & Private Keys are a pair of keys used to authenticate a client when it connects to an SFTP server. The user’s private key is kept secret and stored locally on the user’s PC while the user’s public key is uploaded and registered on the SFTP server the user connects to. The server’s public key (commonly known as the host key) is sent to connecting clients for validation and ensure the SFTP server they are connecting to is the correct server. The server’s private key is only used internally by the SFTP server/server admin and is not used by end-users.

Validation of the Server Public (Host) Key

A host key is the SFTP server’s public key. Ensuring the SFTP server is validated is an important aspect of the SFTP protocol. It is designed to protect against man-in-the-middle attacks where the hacker intercepts and relays an impersonated message to the other party. Host key validation ensures the FTP server that a client is connecting to is verified as the correct one. When the client connects to the server, the server’s public key is returned and the client may be prompted to accept the host key (if connecting for the first time). Once accepted, this key will be stored within the client, which will then be used to check if the Host key matches each time it connects to the SFTP server.

Note that host key validation is performed prior to any client authentication process starts, which only takes place if the server validation is successful, otherwise the connection will be aborted.

Important Note - the Host key (server’s public key) is different from the user’s public key. The former (host key) is used to validate the server’s identity by the client while the latter is used by a client to authenticate and login to an SFTP server.

When SyncBackPro connects to an SFTP server for the first time with host key validation enabled, you may be prompted with a message like this:

Confirm host key

A hash fingerprint of the host key is displayed to the client. The user should use a secure method to verify the host key and ensure it matches the correct SFTP server. Once the server is verified and the host key is accepted, it is saved by the SFTP client so it can be used automatically in a future validation process whenever the client connects to the server. If the incoming host key does not match against the previously saved host key, the user may be prompted with the following message:

Host key warning

This message is to warn the client that the saved Host key does not match the incoming host key from the SFTP server. In the worst case scenarios, this message may imply that the server has been compromised or there is a man-in-the-middle attack. However, this is usually not the case. Some of the likely cause of this message may include:

  • The user may have mistakenly loaded the user public key into the SFTP host key field, mistaking the user public key is the same as the server host (public) key
  • The system administrator may have changed the host key, or he re-installed the server and used a new host key
  • The user is using the wrong host key
If the host key does not match, it is best to check back with your SFTP administrator for further assistance.

The option to review or change the “SFTP Host Key” option is at:

Modify > Expert > FTP > Advanced

settings page of the SyncBackPro profile.

Client Authentication

There are several methods to configure the authentication procedure on an SFTP server. The three authentication methods supported by the SyncBackPro are:

  • username and password
  • a username with a user’s public/private key
  • a username with a user’s public/private key and password

Client Authentication using Password

This is the simplest form of authentication using the traditional username/password method. A client logs in to SFTP using Username/Password. No user private/public keys are required (although the client may still get prompted by the server to validate the host key). Note that some SFTP servers may be configured to disallow password authentication by default, which will result in the connection attempt to fail. The “username” and “password” can be configured under:

Modify > Expert > FTP

settings page of the SyncBackPro profile.

Client Authentication using Public/Private key

Public key authentication is a method where the SFTP client identifies itself to the server by using public/private key pairs. The client first generates a pair of public and private keys from his own computer using third party key generation tools like PuTTYgen, etc. Prior to connection, the user’s public key must first be uploaded and registered on the SFTP server. Then the client’s private key is loaded via the “SFTP Private Key” option of:

Modify > Expert > FTP

settings page of the SyncBackPro profile.

Before any client authentication takes place, the client may get prompted by the SFTP server to validate the host key when establishing connection with it. Once server validation is complete the client will encrypt a signature using the loaded private key and sends it to the server. The server then verifies this signature against the stored user public key. Once verification is successful, the SFTP will grant access to the connecting client.

Client Authentication using Public key/Private key and password

Do note that the password described in this section is not referring to the login password, but rather this is the password (or passphrase) for the private key. Public/Private key and password configuration is similar to steps described in the latter section, except that it includes the private key’s password.

When using public key authentication, you store the private key unprotected on your computer. As a result, if anybody gains access to this private key on your PC, they would be able to log in to your SFTP server using your account. One way to prevent this is to encrypt the private key with a password/passphrase. To use this key, the user must first decrypt it by entering the key’s password under the “SFTP Private Key Password” option, located at:

Modify > Expert > FTP

settings page of the SyncBackPro profile.

Without the password, the private key cannot be used by anybody else other than the original owner.

Conclusion

Besides providing encryption via a secure channel, SFTP provides a way to authenticate both the user and host. Hopefully, this article was helpful in understanding the basics of server validation and client authentication, as well as the configuration steps necessary to setup an SFTP connection.


Noted Customers

© 2017 2BrightSparks Pte. Ltd.  | Home | Support | Privacy | Terms

Back to top