Connect to SFTP server

[joker197cinque]

I am using 3.3.4.1 portable version of filezilla client.

I am trying to understand connection process to a SFTP server, already set up and running.

If I connect from filezilla to an SFTP server on port 22, I get the fingerprint warning

Unknown host key
The server's host key is unknown. You have no guarantee that the server is the computer you think it is.

Host: ...
Fingerprint: ...

Trust this host and carry on connecting?
Always trust this host, add this key to the cache

Digging into Filezilla options, I notice that I can add private keys under SFTP node.
Is it related to the warning ?
Which keys should I add here ?
Who is supposed to send me these keys ?
Adding correct keys, will suppress warning ?

In general, does SFTP client need certificates/keys as well as password ?

Thanks, I am a bit confused

[botg]

Digging into Filezilla options, I notice that I can add private keys under SFTP node.
Is it related to the warning ?

No, not related to this warning.

All SFTP sessions are encrypted and authenticated by the server's host key. If the host key is unknown, then you have no guarantee that you really are connecting to the correct server. Please contact your server administrator over a secure channel so that he can tell you the host key so that you can compare it against what FileZilla thinks it is connecting to.

If they match, all fine and dandy. If they mismatch, you're being the victim of an active attacker intercepting all your connections.

[joker197cinque]

Hi botg thx for reply.

I use freeftpd as sftp server and it generates 2 keyfile privatekey.rsa and privatekey.dsa. I opened them and the content is something like that:

-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCu+Mt8xP2u4FvXf6vxxZ9ertjJ4fih+02KOowoqkpXb8BVgvAC
UCTOcOrxDIuDNyQTsUgzMhH6TlxpRcCKsC54IcFxUNapIv/WvDk+SeDxdmPYj7If
eq6HixXMMXnOsPY
.....
-----END RSA PRIVATE KEY-----

what am I supposed to do with that files ?
If I try to import into filezilla those file (settings-->SFTP -->filezilla converts them into its format) and try to connect to SFTP server, I get warning connection anyway.

Is there a client authentication process (certificate, key ..), beyond password ?

Thanks, links to read also welcome.

[boco]

Nothing will prevent that warning dialog. FileZilla will never blindly trust anything (certificates, server keys, ...) but always ask the user for confirmation.

[joker197cinque]

Nothing will prevent that warning dialog. FileZilla will never blindly trust anything (certificates, server keys, ...) but always ask the user for confirmation.

Ok, I see.

Can you help me to implement public key authentication through freeftpd sftp server and filezilla ftp client ? If I understand correctly, it is possible to import public or private key into client and log on without a password .. but I cannot find howto to do this.

Pls help.

Thanks.

[botg]

-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCu+Mt8xP2u4FvXf6vxxZ9ertjJ4fih+02KOowoqkpXb8BVgvAC
UCTOcOrxDIuDNyQTsUgzMhH6TlxpRcCKsC54IcFxUNapIv/WvDk+SeDxdmPYj7If
eq6HixXMMXnOsPY
.....
-----END RSA PRIVATE KEY-----

You should generate a new key ASAP. Publishing the private key, or even parts of it, it's the equivalent of broadcasting the combination to your safe on national television.

[joker197cinque]

-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCu+Mt8xP2u4FvXf6vxxZ9ertjJ4fih+02KOowoqkpXb8BVgvAC
UCTOcOrxDIuDNyQTsUgzMhH6TlxpRcCKsC54IcFxUNapIv/WvDk+SeDxdmPYj7If
eq6HixXMMXnOsPY
.....
-----END RSA PRIVATE KEY-----

You should generate a new key ASAP. Publishing the private key, or even parts of it, it's the equivalent of broadcasting the combination to your safe on national television.

Hi botg, don't worry I randomly changed some letters/case

Any help appreciated.

[botg]

Changing some letters is not enough. You still have published a significant portion of the key, compromising the security of your server.

[joker197cinque]

Changing some letters is not enough. You still have published a significant portion of the key, compromising the security of your server.

Thanks for your effort in helping me, actually it is not a server on the internet but a local client on which I am testing a ftp demo server.
When we will be ready to start we'll generate new key pair for the real exposed on the internet server.

Thanks.

[adambu]

Nothing will prevent that warning dialog. FileZilla will never blindly trust anything (certificates, server keys, ...) but always ask the user for confirmation.

But...can't you get the private key from somewhere and enter it is FileZilla settings somewhere?

[boco]

If you feel the urge of replying to a seven year-old topic, at least read it. The private key is never handed out by the server (hence the name "private"). If it becomes known publicly, then it is compromised.

[s]All FileZilla stores is the public key (which can only verify authenticity). It might be possible to inject a public key into the trustedcerts.xml (no idea, I'm not the dev), if you know the syntax used. But it hard to do it automatically.[/s]

[botg]

trustedcerts.xml has nothing to do with SFTP keypairs. It's for protocols such as FTP over TLS that use certificates.

[Eddiestephenson]

I also tried to connect to a SFTP Server...without any luck...

i want do backup my managed wordpress sites from godaddy and download the files to my desktop via FTP.
When i try to connect with filezilla i get a "Proxy error: 403 Forbidden".