Set up and verify SFTP with public key authentication on clients and servers
environment
- Windows
-
- Windows 10 Pro
- Windows Server 2019
- Windows 7
- Windows Server 2012 R2
- OpenSSH
-
- 7.7p1
- 8.1p1 - Beta
※ It works in other versions, but it is unconfirmed
At first
Last time, you set up an SFTP server to verify that password authentication allows you to send and receive files. This time, sftp sends and receives files using public key authentication.
Preparation in advance
- The client has an OpenSSH client installed
- The server has an OpenSSH server installed.
- The server starts the OpenSSH service and the port 22 is freed.
Create private and public keys in the client
Log in to the client. Private and public keys can also be created on the server side, but the private key will be the client and the public key will be held by the server. Create on the client side.
Start PowerShell with administrator rights.
Create a file, go to any folder with the cd command, and type the following command:
ssh-keygen -t rsa -f id_rsa
You can put a passphrase (password) in the key, so please put it if necessary.
If the key is successfully generated, the public and private keys are created in the folder as follows: "id_rsa" is the private key and "id_rsa.pub" is the public key.
Place a public key on the server
Log in to Windows with your SFTP account for the server.
Please place the created public key "id_rsa.pub" in the following folder on the server. 「. if you don't have a "ssh" folder, please create one. Also, change the file name to "authorized_keys". (Replace the <> with the username you log in with SFTP.)
- C:\Users\< username>\.ssh
Note that only users with "administrators" or SFTP users should have access to this file. Sftp connections always fail if other users have access. For example, NG has a group of Users or Everyone appended to the permission.
In this example, ". The access rights of the "ssh" folder are "Group:SYSTEM", "Group: Administrators", and "User: sftptest". If you cannot remove a permission, disable permission inheritance.
Enable public key authentication on the server
Log in to the server with administrators permissions users, and then open the following folders:
- C:\ProgramData\ssh
Since there is a file called "sshd_config", copy it and change the file name to "sshd_config_default" and set up a backup.
Open "sshd_config" in the text editor launched with administrator privileges.
To enable public key authentication, change it as follows:
#PubkeyAuthentication yes
↓↓↓
PubkeyAuthentication yes
Also, password authentication is enabled by default, so if you want to disable it, change it as follows.
#PasswordAuthentication yes
↓↓↓
PasswordAuthentication no
I want to place a public key for each SFTP account, so I'll comment out the following line:
Match Group administrators
AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
↓↓↓
#Match Group administrators
# AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
If you want to specify the root directory for each SFTP account, add the following line: Depending on whether you specify this or not, when you specify a folder path from the client, it may change to "C:\xxxxx" or "/xxxxx" format.
Match User <ユーザー名>
ChrootDirectory <フォルダパス>
example
Match User TestUser
ChrootDirectory C:\Users\TestUser
After you save sshd_config, restart the OpenSSH server.
Send and receive files from clients with public key authentication
Place the private key "id_rsa" that you created before connecting with SFTP in a folder that is accessible only to the user who is running SFTP. Note that sftp connections will fail if placed in a folder that can be accessed by other users. Especially if the folder has permissions for the Users and Everyone groups, it is NG.
Basically, it is recommended because it will automatically refer to the path if you put it in the following folder.
- C:\Users\< username>\.ssh
Client's ". The access rights of the "ssh" folder are "Group:SYSTEM", "Group: Administrators", "User: < Login user >".
If you want to access sftp using the private key, type the command as follows (replace the <>): If you've set up a passphrase, enter a passphrase as well.
sftp -i id_rsa <ユーザー名>@<サーバー名>
If you log in successfully, you will be switched to the display of the logged-in user.
You can also check that you can log in with the dir command.
Now that you have prepared a file called "test3.txt", send the file with the put command.
put c:\temp\test3.txt
If you look at the server-side C:\Users\sftptest folder, you can see that the test3.txt file is being sent.
Try get from the client.
get test3.txt c:\temp\test4.txt
I was able to confirm that the file was able to be obtained.
Summary
You were able to send and receive files by SFTP using public key authentication. By using a public key, the server side will not be able to know the password. It allows you to exchange files more securely than password authentication.