Set up and verify sftp using public key authentication on clients and servers

Page updated :

Environment

Windows
  • Windows 10 Pro
  • Windows Server 2019
  • Windows 7
  • Windows Server 2012 R2
Openssh
  • 7.7p1
  • 8.1p1 - Beta

※ Works in other versions, but is unconfirmed

At first

Last time, we set up an SFTP server and verified that password authentication can send and receive files. This time, sftp sends and receives files using public key authentication.

Pre-preparation

  • The client has an OpenSSH client installed.
  • The server has an OpenSSH server installed
  • The server starts the OpenSSH service and the port 22 is released.

Create a private and public key on the client

Log in to the client. The private key and public key can also be created on the server side, but the private key is the client, and the public key will be the server will have it. Create on the client side.

Start PowerShell with administrative rights.

image

So you're creating a file, go to any folder with the cd command, and then type the following command:

ssh-keygen -t rsa -f id_rsa

You can put a passphrase (password) in the key, so please put it if necessary.

image

If the key is successfully generated, it appears as follows, creating a public and private key in the folder: "id_rsa" is the private key and "id_rsa.pub" is the public key.

image

image

Place a public key on the server

Log in to Windows with an SFTP account for the server.

Place the public key "id_rsa.pub" you created in the following folder on the server: If you don't have the .ssh folder, create one. Also, change the file name to authorized_keys. (Replace the <> part with the user name you want to log in with SFTP)

  • C:\Users\<Username>\.ssh

image

Note that only users who have access to this file must have "administrators" permission or sFTP users. If other users have access, the SFTP connection always fails. For example, if a group of Users or Everyone is added to an authority, it is NG.

In this example, the permissions of the .ssh folder are "group: SYSTEM", "group:Administrators", and "user:sftptest". If you cannot delete permissions, disable permission inheritance.

Enable public key authentication on the server

Log in to the server with administrators permissions user and open the following folder:

  • C:\ProgramData\ssh

There is a file called "sshd_config", so i copy it and change the file name to "sshd_config_default" and set a backup.

image

Open sshd_config in a text editor that you started with administrative rights.

To enable public key authentication, change it as follows:

#PubkeyAuthentication yes

↓↓

PubkeyAuthentication yes

Also, password authentication is enabled by default, so if you want to disable it, change it as follows:

#PasswordAuthentication yes

↓↓

PasswordAuthentication no

I want to place a public key for each SFTP account, so I'll comment out the following line:

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

↓↓

#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

After you save the sshd_config, restart the OpenSSH server.

image

Send and receive files with public key authentication from clients

Place the private key "id_rsa" that you created before connecting with SFTP in a folder that is accessible only to users running SFTP. Note that sftp connections will fail if you place them in a folder that other users can access. In particular, if the folder has permissions for the Users and Everyone groups, it is NG.

Basically, it is recommended because it refers to the path automatically when I put it in the following folder.

  • C:\Users\<Username>\.ssh

The client's ".ssh" folder has permissions on "Group:SYSTEM", "Group:Administrators", "User:<Login User>".

If you want to use the private key to access it with SFTP, enter the command as follows (replace the <>portion). If you have set a passphrase, also enter a passphrase.

sftp -i id_rsa <ユーザー名>@<サーバー名>

image

If the login is successful, it will switch to the user's view.

image

You can also see that you can log in with the dir command.

image

Now that you have a file called "test3.txt", send the file with the put command.

put c:\temp\test3.txt

image

If you look at the "C:\Users\sftptest" folder on the server side, you can see that the test3.txt file has been sent.

image

Try get from the client.

get test3.txt c:\temp\test4.txt

image

I was able to confirm that i was able to get the file.

image

Summary

SFTP could send and receive files using public key authentication. The use of the public key will not allow the server to know the password. You can exchange files more securely than password authentication.