Set up and verify the operation of SFTP using public key authentication on clients and servers
- Windows 10 Pro
- Windows Server 2019
- Windows 7
- Windows Server 2012 R2
- 8.1p1 - Beta
※ It works in other versions, but it is unconfirmed
Last time, I set up an SFTP server and confirmed that password authentication can send and receive files. This time, you're using public key authentication to send and receive files using SFTP.
- The client has an OpenSSH client installed
- The server has an OpenSSH server installed
- OpenSSH service is started on the server and port 22 is freed
Create private and public keys on the client
Log in to the client. Private and public keys can also be created on the server side, but the private key will be owned by the client and the public key by the server. Create on the client side.
Start PowerShell with administrative privileges.
Since you create a file, use the cd command to go to any folder and type the following command:
ssh-keygen -t rsa -f id_rsa
The key contains a passphrase (password), so please include it if necessary.
If the key is successfully generated, it will appear as follows, and a public and private key will be created in the folder. "id_rsa" is the private key and "id_rsa.pub" is the public key.
Place a public key on the server
Log in to Windows with an SFTP account for the server.
Please place the created public id_rsa.pub" in the following folder of the server. If you don't have a .ssh folder, create one. Also, change the file authorized_keys "File". (<> part of the user should be replaced with the username you are logged in to with SFTP.)
- C:\Users\< Username>\.ssh
Note that only users with administrators or SFTP users should have access to this file. If other users have access, the SFTP connection will always fail. For example, if a permission has a group of Users or Everyone, it is NG.
In this example, the access rights for the .ssh folder are "Group:SYSTEM", "Group:Administrators", and "User:sftptest". If you cannot remove a permission, disable permission inheritance.
Enable public key authentication on the server
Log in to the server with a user with Administrators permissions and open the following folder:
Since sshd_config file "100 sshd_config_default 000000000000000000000000000000000000000000000000000000000000000000000000000000
Open "Open" in the text editor sshd_config with administrator rights.
To enable public key authentication, change it as follows:
Also, password authentication is enabled by default, so if you want to disable it, change it as follows:
I want to place a public key for each SFTP account, so comment out the following line:
Match Group administrators AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
#Match Group administrators # AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
If you want to specify a root directory for each SFTP account, add the following line: This or not, may change whether it is in "C:\xxxxx" or "/xxxxx" format when specifying a folder path from the client.
Match User <ユーザー名> ChrootDirectory <フォルダパス>
Match User TestUser ChrootDirectory C:\Users\TestUser
After sshd_config the "Update" page, restart the OpenSSH server.
Send and receive files from clients with public key authentication
Place the private key "id_rsa" created before connecting with SFTP in a folder accessible only to users running SFTP. Note that placing it in a folder that other users can access will fail the SFTP connection. In particular, if the folder has permissions for the "Users" and "Everyone" groups, it is NG.
Basically, it is recommended because it automatically refers to the path if you put it in the following folder.
- C:\Users\< Username>\.ssh
The access rights of the client's ".ssh" folder are "Group:SYSTEM", "Group:Administrators", < User:> Logged In User".
If you want to access it via SFTP using a private key, type the <> (replace the part of the command). If you have set up a passphrase, enter the passphrase as well.
sftp -i id_rsa <ユーザー名>@<サーバー名>
If you log in successfully, you will be switched to the display of the logged-in user.
You can also check that you can log in with the dir command.
Now that you .txt file that says "test3", send the file with the put command.
If you look at the server-side C:\Users\sftftest folder, you can .txt the test3 file has been sent.
Try get from the client.
get test3.txt c:\temp\test4.txt
I was able to confirm that I was able to retrieve the file.
You were able to send and receive files using SFTP using public key authentication. By using a public key, the server side will not know the password. You can exchange files more securely than password authentication.