Overview
The purpose of this article is to demonstrate public-key authentication in SSH/SFTP. SSH uses public-key cryptography to allow the remote computer to authenticate the user. SSH is typically used to log into a remote machine and to execute commands (e.g. logging into a remote unix machine). It can also be used to transfer files using the SFTP protocol. An SSH client program is typically used for establishing connections to an SSH server accepting remote connections (e.g. AnyClient).
Key Authentication
First, a pair of cryptographic keys is generated. The first of these keys is the public key and this resides on the remote server and is used by SSH to authenticate users who have the correct matching private key. The private key resides with the user and can be protected by a passphrase. When a user connects to the remote server both the private key and the passphrase are required in addition to the username/password combination. An SSH server, by default, listens on the standard TCP port 22.
In the following demonstration we are going to use Jscape Secure FTP Server as the remote server and AnyClient as the local client. This is laid in a series of steps :
Step 1 (Generating a client key)
Go to 'File -> Key Manager'. This will bring up the following screen :
Click on the 'Generate' button. This will bring up the following screen :
'Alias' is simply a name given to the generated key. These names can then be used to assign keys to
specific user(s). (The tutorial will show how to do this at a later stage)
'Period' - The number of days this key is valid.
'Common Name' - The name you wish to assign this key. For a client key this is typically the full name of the user e.g. John Smith.
'Organizational Unit' - The unit within the users organization that this key will be used for e.g. IT.
'Organization' - The users organization name.
'Locality' - The users city.
'State/Province' - The users state or province.
'Country code' - The users 2 character country code e.g. US.
Press the 'Ok' button after you have provided all of the above fields. This will bring up the following screen :
'Private key file' - The file you wish to export the private key to. This should be a valid 'PEM' file (e.g. license.pem). SSH authentication at this time only supports 'PEM' file types.
'File password' - The password used to protect private key. Leave blank for no password.
'Certificate file' - The file you wish to export certificate to. (This is not a required step)
'File type' - The format in which you wish to export certificate.
'Public key file' - The file you wish to export public key to.
'File type' - The format in which you wish to export public key.
When the 'Ok' button is pressed the license file is generated and saved to the specified location. However at this stage it cannot be used to connect from a client program. It needs to be assigned to user account(s) on the server. The article will demonstrate how to do this next :
Step 2 (Assigning generated keys to a user account)
Go to the 'Users' node under the server node. This will display a 'Users' tab displaying the users for this account. Select the account you want a assign a authentication key to and click the 'Edit' button. This will bring up the following screen :
Select the 'Info' tab as shown above. As you can see in the 'Client keys' section there are two keys available. I created these keys when writing this tutorial. You can select as many keys as you want to assign to the user. Remember that each key will have a separate valid PEM file that resides with the client (the user that connects to the remote server). Click the 'Ok' button to finish and save the assignment of keys.
This finishes the creation and assignment of authentication keys. Next we will show how to actually use this authentication key from a client program (AnyClient).
Start AnyClient on your PC. Go to 'File -> Site Manager'. This will bring up the following screen :
We will need a site to connect to the remote server. Click on the 'New' button on the screen above. This will bring you to the following screen :
I created a site called 'TestSite' with the settings shown.
'Host' - the name of the remote server. Port 22 is used for SSH connections.
'Username' - username of the account on the server.
'Password' - password of the account on the server.
'Connection Type' - Set this to 'SFTP/SSH' for the purposes of this tuorial. This will enable extra authentication options that must be provided before a successful connection can be made :
-) 'Private Key File' - this is the private key file generated from Step 1 above.
-) 'Key Password' - this is the private key file passphrase set in Step 1 above.
-) 'Use public key authentication' - Select this checkbox to use public key authentication.
-) 'Use password authentication' - Select this checkbox to use password enabled authentication.
The last two of the above options depend on the type of authentication the server expects for SFTP/SSH connections. This can be controlled by performing the following steps :
1) Select 'Services' node under Jscape Secure FTP Server.
2) Select SFTP service under the Services tab.
3) Click the 'Edit' button.
This will bring up the following screen :
Note that I used 'password AND publickey' option for the 'Authentication' category. Hence I need to select both 'Use public key authentication' and 'Use password authentication' checkboxes on the AnyClient connect option screen (previous screenshot). Click 'Connect' on the AnyClient screen, provided you have completed all steps correctly and provided all the right credentials AnyClient will forward you to it's file transfer interface screen.
