Page 1 of 1

Re: SFTP and Keys

Posted: 2014-12-22 08:16
by botg
There are two different public key mechanisms used by SFTP: The server's host key and the user's public key.

The first one is used by the client to authenticate the server. When first connecting to an SFTP server, the server sends you its public key and the client displays the fingerprint of this key. It is your responsibility of the user to then compare this fingerprint against the server's fingerprint you obtained from your server administrator over a secure channel (e.g. handed over in person on a piece of paper).
Failure to properly verify the host key leaves you vulnerable to man-in-the-middle attacks.


The user's public key is used by the server to authenticate the user. To do so, the user needs to generate a key pair and have his public key deposited in the server by the server administrator. Naturally the key needs to be given to the administrator over a secure channel. You don't need a key pair in order to authenticate against an SFTP server. SFTP also supports traditional authentication with username and password. Note that in either case, hostkey verification still needs to be done.