Set up and verify sftp using public key authentication on clients and servers
- Windows 10 Pro
- Windows Server 2019
- Windows 7
- Windows Server 2012 R2
- 8.1p1 - Beta
※ Works in other versions, but is unconfirmed
Last time, we set up an SFTP server and verified that password authentication can send and receive files. This time, sftp sends and receives files using public key authentication.
- The client has an OpenSSH client installed.
- The server has an OpenSSH server installed
- The server starts the OpenSSH service and the port 22 is released.
Create a private and public key on the client
Log in to the client. The private key and public key can also be created on the server side, but the private key is the client, and the public key will be the server will have it. Create on the client side.
Start PowerShell with administrative rights.
So you're creating a file, go to any folder with the cd command, and then type the following command:
ssh-keygen -t rsa -f id_rsa
You can put a passphrase (password) in the key, so please put it if necessary.
If the key is successfully generated, it appears as follows, creating a public and private key in the folder: "id_rsa" is the private key and "id_rsa.pub" is the public key.
Place a public key on the server
Log in to Windows with an SFTP account for the server.
Place the public key "id_rsa.pub" you created in the following folder on the server: If you don't have the .ssh folder, create one. Also, change the file name to authorized_keys. (Replace the <> part with the user name you want to log in with SFTP)
Note that only users who have access to this file must have "administrators" permission or sFTP users. If other users have access, the SFTP connection always fails. For example, if a group of Users or Everyone is added to an authority, it is NG.
In this example, the permissions of the .ssh folder are "group: SYSTEM", "group:Administrators", and "user:sftptest". If you cannot delete permissions, disable permission inheritance.
Enable public key authentication on the server
Log in to the server with administrators permissions user and open the following folder:
There is a file called "sshd_config", so i copy it and change the file name to "sshd_config_default" and set a backup.
Open sshd_config in a text editor that you started with administrative rights.
To enable public key authentication, change it as follows:
Also, password authentication is enabled by default, so if you want to disable it, change it as follows:
I want to place a public key for each SFTP account, so I'll comment out the following line:
Match Group administrators AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
#Match Group administrators # AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
After you save the sshd_config, restart the OpenSSH server.
Send and receive files with public key authentication from clients
Place the private key "id_rsa" that you created before connecting with SFTP in a folder that is accessible only to users running SFTP. Note that sftp connections will fail if you place them in a folder that other users can access. In particular, if the folder has permissions for the Users and Everyone groups, it is NG.
Basically, it is recommended because it refers to the path automatically when I put it in the following folder.
The client's ".ssh" folder has permissions on "Group:SYSTEM", "Group:Administrators", "User:<Login User>".
If you want to use the private key to access it with SFTP, enter the command as follows (replace the <>portion). If you have set a passphrase, also enter a passphrase.
sftp -i id_rsa <ユーザー名>@<サーバー名>
If the login is successful, it will switch to the user's view.
You can also see that you can log in with the dir command.
Now that you have a file called "test3.txt", send the file with the put command.
If you look at the "C:\Users\sftptest" folder on the server side, you can see that the test3.txt file has been sent.
Try get from the client.
get test3.txt c:\temp\test4.txt
I was able to confirm that i was able to get the file.
SFTP could send and receive files using public key authentication. The use of the public key will not allow the server to know the password. You can exchange files more securely than password authentication.