Set up and verify the operation of SFTP using public key authentication on clients and servers

Page updated :

environment

Windows
  • Windows 10 Pro
  • Windows Server 2019
  • Windows 7
  • Windows Server 2012 R2
OpenSSH
  • 7.7p1
  • 8.1p1 - Beta

※ It works in other versions, but it is unconfirmed

At first

Last time, I set up an SFTP server and confirmed that password authentication can send and receive files. This time, you're using public key authentication to send and receive files using SFTP.

Preparation

  • The client has an OpenSSH client installed
  • The server has an OpenSSH server installed
  • OpenSSH service is started on the server and port 22 is freed

Create private and public keys on the client

Log in to the client. Private and public keys can also be created on the server side, but the private key will be owned by the client and the public key by the server. Create on the client side.

Start PowerShell with administrative privileges.

image

Since you create a file, use the cd command to go to any folder and type the following command:

ssh-keygen -t rsa -f id_rsa

The key contains a passphrase (password), so please include it if necessary.

image

If the key is successfully generated, it will appear as follows, and a public and private key will be created in the folder. "id_rsa" is the private key and "id_rsa.pub" is the public key.

image

image

Place a public key on the server

Log in to Windows with an SFTP account for the server.

Please place the created public id_rsa.pub" in the following folder of the server. If you don't have a .ssh folder, create one. Also, change the file authorized_keys "File". (<> part of the user should be replaced with the username you are logged in to with SFTP.)

  • C:\Users\< Username>\.ssh

image

Note that only users with administrators or SFTP users should have access to this file. If other users have access, the SFTP connection will always fail. For example, if a permission has a group of Users or Everyone, it is NG.

In this example, the access rights for the .ssh folder are "Group:SYSTEM", "Group:Administrators", and "User:sftptest". If you cannot remove a permission, disable permission inheritance.

Enable public key authentication on the server

Log in to the server with a user with Administrators permissions and open the following folder:

  • C:\ProgramData\ssh

Since sshd_config file "100 sshd_config_default 000000000000000000000000000000000000000000000000000000000000000000000000000000

image

Open "Open" in the text editor sshd_config with administrator rights.

To enable public key authentication, change it as follows:

#PubkeyAuthentication yes

↓↓↓

PubkeyAuthentication yes

Also, password authentication is enabled by default, so if you want to disable it, change it as follows:

#PasswordAuthentication yes

↓↓↓

PasswordAuthentication no

I want to place a public key for each SFTP account, so comment out the following line:

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

↓↓↓

#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

If you want to specify a root directory for each SFTP account, add the following line: This or not, may change whether it is in "C:\xxxxx" or "/xxxxx" format when specifying a folder path from the client.

Match User <ユーザー名>
       ChrootDirectory <フォルダパス>

example

Match User TestUser
       ChrootDirectory C:\Users\TestUser

After sshd_config the "Update" page, restart the OpenSSH server.

image

Send and receive files from clients with public key authentication

Place the private key "id_rsa" created before connecting with SFTP in a folder accessible only to users running SFTP. Note that placing it in a folder that other users can access will fail the SFTP connection. In particular, if the folder has permissions for the "Users" and "Everyone" groups, it is NG.

Basically, it is recommended because it automatically refers to the path if you put it in the following folder.

  • C:\Users\< Username>\.ssh

The access rights of the client's ".ssh" folder are "Group:SYSTEM", "Group:Administrators", < User:> Logged In User".

If you want to access it via SFTP using a private key, type the <> (replace the part of the command). If you have set up a passphrase, enter the passphrase as well.

sftp -i id_rsa <ユーザー名>@<サーバー名>

image

If you log in successfully, you will be switched to the display of the logged-in user.

image

You can also check that you can log in with the dir command.

image

Now that you .txt file that says "test3", send the file with the put command.

put c:\temp\test3.txt

image

If you look at the server-side C:\Users\sftftest folder, you can .txt the test3 file has been sent.

image

Try get from the client.

get test3.txt c:\temp\test4.txt

image

I was able to confirm that I was able to retrieve the file.

image

Summary

You were able to send and receive files using SFTP using public key authentication. By using a public key, the server side will not know the password. You can exchange files more securely than password authentication.