SSH (Secure Shell) and SFTP (Secure FTP) support a very strong security model that can be used instead of the normal username and password authentication scheme weâve all come to know and love. It uses public key cryptography to create a different, and more secure approach to authenticating your identity and rights to access a server or resource.
In a nutshell, you will generate a public and private key pair. The public key will be placed on the server by your system administrator, giving you access. You will keep the file containing the private key in a safe place. Youâll login by simply by providing that private key file to your SSH or SFTP supporting client.
It really is that simple.
Become a Patron of Ask Leo! and go ad-free!
The private key is just that â private. You may put a password on it, but you donât have to. Without a password, all you need is the file in order to login. Or, to put it more clearly, all anyone needs is that file to login as you. Obviously if you password protect the file, then youâll need both the file, and the password to unlock it. In that case, logging in is very similar to what you do today: specify a user name, and a password to unlock your key file.
Instructions are included here for the following tools, which are known to work with this technique:
SSH Clients | SFTP Clients |
PuTTY SecureCRT |
PSFTP |
Instructions for these tools are not provided here, but they either claim or have been confirmed to have the appropriate support:
SSH Clients | SFTP Clients |
Tera Term Pro | CuteFTP Professional (not Home)WinSCP |
Other tools may also work. The key terminology to look for is âSSHâ or âSFTPâ and âPublic Key Authenticationâ.
Generating Your Keys
In general itâs best to create your own key. That way you control what happens to your private key, and no one else ever has to see it.
PuTTYgen
PuTTY is a free SSH client that includes a tool for generating keys, called PuTTYgen. The tool can also be downloaded separately, but why bother ⊠get the whole thing. PuTTY is my recommended SSH client.
When you run PuTTYgen, youâll get a dialog with a âGenerateâ button on it.
Push the button.
It will ask you to move the mouse around to generate randomness. (Randomness is a key component of public key cryptography). Once thatâs happened enough, you should do the following:
- Specify a passphrase. Technically this is optional, but if you omit the passphrase, then anyone who happens to get ahold of your private key file can login as you. You may have enough security in place where this is not an issue.  If you do specify a passphrase, youâll need to enter it when you login, pretty much as a normal login.
- Press the Save Public Key button to save the public key. IÂ recommend saving as your name â.pubâ. For example I would save âleo.pubâ.
- Press the Save Private Key button to save your private key. This saves the private key in PuTTYâs own format, a â.ppkâ file. So, âname.ppkâ might be appropriate.
- I also recommend hitting the Conversions menu, and then Export Openssh key, and saving that to âname.keyâ. This format will allow you to use your private key with other applications besides PuTTY.
SecureCRT
SecureCRT is a stand-alone SSH client.
To create a public key with SecureCRT, hit the Tools menu, Create Public Key⊠option to begin the wizard.
Select RSA as the key type. Enter (or not) an appropriate passphrase to protect your private key. A default key length of 1024 is sufficient. Allow SecureCRT to save the key, noting the location thereof. It may ask if you want to use this as your global Public Key, and you can safely say âyesâ.
WS_FTP
As far as I can tell, WS_FTP cannot import key pairs for use, or will it export its private key. This means that even if you use one of the other SSH clients and generate key pairs for their use, youâll still need generate a separate key pair for use within WS_FTP. Thatâs not a problem from the servers perspective â you can authenticate with as many different keys as you like.
In WS_FTP, hit Tools, Options, and then click on SSH, Client Keys:
Press Create, and step through the wizard. The key type should be RSA, and the default size of 1024 is sufficient.
Once the key has been created and shows up in the list, click on it, and then click on Export, to export your public key. Send the resulting .pub file to your system administrator.
Once you have your keysâŠ
Send your public key to your system administrator. (Either the â.pubâ file as an attachment, or the text within it, in email.) It will be put in âall the right placesâ to allow you to log in to all the account(s) you might need to.
Keep your private key in a safe place. Youâll need it each time you want to login. If they are lost, you will lose access until the key generation and installation process can be repeated. If they or the computer theyâre on are stolen, tell your system admin immediately.
Using Your Keys â SSH
Once your keys are generated, and the public key installed on the server, youâll need to specify the private key to your SSH client in order to log in.
PuTTY
There are (at least) two approaches to using Public/Private keys with PuTTY. When you fire up PuTTY without any arguments, you get its standard configuration dialog, into which you can enter the name of the server you want to connect to:
On the left hand side is a tree view of various options. Underneath Connection, SSH, click on Auth and the dialog will include a field âPrivate key file for authenticationâ:
Specify the location of the â.ppkâ file that you generated with PuTTYgen. When you connect, if your private key is passphrase protected, youâll be asked for the passphrase.
The other approach, and the one that I use, is to simply create shortcuts for the various servers I connect to regularly, and specify the location of the private key on the command line. For example:
C:pathPUTTY.EXE -i c:otherpathleo.ppk
leo@server.com
That, as a desktop shortcut, or item on a Windows menu, connects to the named server using the specified account name âleoâ, and uses the private key found in âc:otherpathleo.ppkâ to authenticate.
SecureCRT
SecureCRT has several paths to a connection dialog, but weâll use âQuick Connectâ for our example. Press the Quick Connect Icon, and you should get something like this:
Make sure that protocol is set to SSH2, and enter your host and username. In Authentication, UNcheck everything
except PublicKey. Then click on that, and click Properties. You should see this:
Typically you need do nothing, but this dialog specifies the location of your identity file (aka Private Key).
Assuming that your public key has been placed on the server for your account, you should now be able to connect.
Using Your Keys â SFTP
Secure FTP, or FTP, is really just using SSH technology to provide FTP-like functionality. Since itâs using SSH, the keys youâve generated and are using for your SSH authentication work with many SFTP applications as well.
WebDrive
In Webdrive, youâll need to load your private key, and then specify it in the configuration for a specific SFTP connection.
The Certificates tab of Webdriveâs Settings dialog, has a Hostkey Managemet button:
Push that, and youâll get the host key management dialog, and on that youâll find an Import button. Press that to import your public and private keys:
Specify the â.pubâ key for the public key you generated earlier. The private key should also be specified, and would be the â.keyâ file. If you passphrase protected your key file, you can specify that here as well. Give it a recognizable name.
The second step, then, takes us back to the Webdrive main window:
Click on a connection (or create a new one). In the Properties for that connection, on the SFTP tab will be a setting Enable client hostkey support for this site:
Here youâll find a dropdown list of the keys you imported above, and a place to enter the password, if any, to access that key.
Once completed, Webdrive should now be able to connect to your public key authenticated site.
WS_FTP
Having created a key pair already in WS_FTP, using it is simply a matter of defining your connection to use it.
When you create a site, specify its connection type as SFTP/SSH. Specify a user name, but leave your password blank. At the end of the wizard, click on the Advanced button, this will allow you to edit the connection, and is the equivalent to editing an existing connection.
Click on the SSH item on the left, and the dropdown list that results should allow you to select the key pair that you created earlier.
Assuming that the public key you exported and sent to your system administrator has been installed on the server, you should now be able to connect.
psftp
PSFTP is command line FTP program that is distributed with PuTTY. More importantly, it supports public key SFTP by using the â.ppkâ file that you created for PuTTY above. Connecting using a public key is simply a different set of comment line options:
psftp -l username -2 -i keys.ppk
remotehost
-l username specifies your username on the remote host;Â -2 indicates that PSFTP should use SSH protocol version 2;
-i keys.ppk specifies the location of your private key as created with PuTTYgen; remotehost is the name of the remote host youâre connecting to.
It seems as though sftp and ssh CAN NOT BE USED together.
When I invokes sftp (first) the server asks me to authenticate the public key then continues conneting.
Afterwards when I invoke ssh I receive a msg indicating the key is already present and it WILL NOT connect.
Any suggestions
It sounds like a configuration issue on your server side. I regularly do exactly what you describe without problems, on several servers.
Great article! Iâm using FTPShell which requires the private key to be in the PEM format. Can I convert PuttyGenâs PPK output to PEM? If not, there another program that can generate a PEM formatted private key?
PuttyGen allows to export in different formats. Iâve done exactly that.
Using Putty Key Generator, if I choose âSave Private Keyâ, the only âsave asâ file type is ppk.
There are also two Conversion options, âExport OpenSSH Keyâ and âExport ssh.com Keyâ Neither of these options provide a specific file type such as PEM.
How does one generate a PEM formatted private key?
Hi,
Can u Please explain me
how can we use the keygen tool generate the public key authentication in unix so that i need to use that in the java programs
in Clear:
I am generating the key pair using keygen tool in unix and using that keys in java programs where it is failing.
can we use like this?
please clarify
Thanks & Regards
KR
how do i i add the public key on server side. if my machine is server how can i add the public key
Hi,
Do we have any open source to manage keys? Any open source to give certificate of authenticity?
Regards,
Vineet
Hi ive been researching on this topic for 3 days and now that im so close it seems to some what fustrating not to get the sftp server up and running as i would like.
My question is how should i add the public keys to my server? do i just copy and paste the text into the server end
âsecurity certificateâ in the allocated place for public keys and viseversa in the client end for the private keys etc?
please help
thanks
paul
ââBEGIN PGP SIGNED MESSAGEââ
Hash: SHA1
Public keys are placed in the file authorized_keys in the .ssh sub directory of
the accountâs home directory. Itâs definitely a particular format, a single
line:
ssh-rsa TypicallyLongPublicKeyValue
and probably needs a particular permission setting. I typically set the file
and the .ssh directory to be rw and rwx respectively for the owning account
only).
Leo
ââBEGIN PGP SIGNATUREââ
Version: GnuPG v1.4.6 (MingW32)
iD8DBQFGdsMBCMEe9B/8oqERAub9AJsF9n8oP/Hwd2IugrVjruLcaYrWywCeKFe8
ZSAhEqhBqNs8lMYiDLUrQBI=
=0GIJ
ââEND PGP SIGNATUREââ
Thanks for posting this info. This is the first time I have needed to create and use a SSH key. I got everything set up and working well using Putty thanks to you. Much Appreciated!
Hi Guys,
Is there any sftp client that encrypt and decrypt files same as Core FTP Pro.
please help.
i want to use psftp command in script file as i need to get some file for FTP through .PPK file but problem is putty is not able recognise psftp command. i have tried setting path for psftp. what can be the reason ?
A note for anyone who has seen âserver refused our keyâ error: When you try using the key generated with puttygen, make sure to use the OPENSSH format key on the server side. openssh doesnât understand the puttygen format of key.
Alternatively you can generate your key with ssh-keygen. More info here: http://www.walkernews.net/2009/03/22/how-to-fix-server-refused-our-key-error-that-caused-by-putty-generated-rsa-public-key/
Thanks a lot for the writeup⊠I am a beginner to SFTP and I am sure I came out a long way at the end of this doc⊠:)
Regards,
Zach
Hi,
My requirement is to receive files from a unix machhine(SFTP server) to a windows machine.I have already generated the public key and private key using puttygen.
I have generated the keys using a remote logon on the windows.Do the IDâs be same on the Unix and windows box or can I use the login credentials of the unix box in the psftpcommand line prompt.
Regards,
Vamsi
Hi,
I wanted to use SFTP as file transfer protocol using putty. I have created Public as private keys as per the above instruction.
But want to know how to use it?
Is one server will have only one private and public key or more than on keys?
Hi,
I wanted to use SFTP as file transfer protocol using putty. I have created Public as private keys as per the above instruction.
But want to know how to use it?
Is one server will have only one private and public key or more than on keys?
Thank you for this! However, I keep getting the same error: Permission denied (publickey). Any advice? thanks!
Leo, you wrote:
âIt will ask you to move the mouse around to generate randomness. (Randomness is a key component of public key cryptography).
Yes: it certainly is! But IMHO, the âmouse-movementâ algorithms commonly used for generating randomness are way overrated â the user typically responds with quite predictable movements: wide, sweeping motions back and forth, up and down, and/or wide circles. I know: Iâve done it, too. And Iâm never really content with the resulting ârandomness.â
With the advent of services like HotBits (https://www.fourmilab.ch/hotbits), pools of TRUE RANDOM entropy are quite accessible, and I would strongly encourage the use such services â if only more programs would provide an option for the user to specify a source file of trusted entropy!
Some encryption programs â VeraCrypt among others, yay! â already offer an option to further encrypt a target using an additionally specified file, called a âkeyfileâ â an MP3 or WAV file, for example (but neither one a good choice, in my opinion). Needless to say, I avail myself of this option, using large ârandom byteâ keyfiles derived from HotBits (I actually mathematically âcombineâ two separate such files for extra security).
I am totally satisfied with the resultant security. :) :) :)
If you create your own .mp3 or .wav file, it should be quite random. Still, if it uses the ascii value of the media file, it would be extremely difficult to guess which song or clip (and more specifically which portion) you used so Iâd imagine itâs pretty safe.
Leo, you wrote:
âThe public key will be placed on the server by your system administrator, giving you access.â
Could you please elaborate on this? The âsystem administratorâ is often the user himself; what âserverâ does one place the file on, and how does one place it there?
Remember, SSH is all about accessing a (usually Linux) server remotely, typically via the (usually Linux) command line. So, for example, itâs how I access the askleo.com server. So, yes, particularly when youâre doing web hosting on Linux servers and such, there absolutely is an administrator other than yourself. Again depending on your hosting, you may be the administrator, in which case youâll have access to some kind of interface that will allow you to upload the public key.