Secure Shell (SSH) key authentication is a form of remote access control commonly used in file transfer tools and often leveraged by major corporations and cloud data centers. The SSH protocol provides secure remote login, and key authentication is based on the generation of SSH keys, which are encrypted access credentials. A common form of key authentication is public key authentication, which allows access between a local machine and a remote server.

The MFT edition of Serv-U enables you to use SFTP over SSH2. The Secure Shell (SSH) protocol enables secure system administration and file transfers over insecure networks. SSH key pairs enable a client to connect to the server using the SFTP protocol. Two keys are generated by a SSH key generator:

serv u ftp server keygen generator

You can set up your server to authenticate users using the service managed authentication method, where user names and SSH keys are stored within the service. The user's public SSH key is uploaded to the server as a user's property. This key is used by the server as part of a standard key-based authentication process. Each user can have multiple public SSH keys on file with an individual server. For limits on number of keys that can be stored per user, see the AWS service quotas in the AWS General Reference.

Retrieve the SSH key that you want to delete by entering the following command. To use this command, replace serverID with the server ID for your Transfer Family server, and replace username with your user name.

Next, import a new SSH key for your user. At the prompt, enter the following command. To use this command, replace serverID with the server ID for your Transfer Family server, replace username with your user name, and replace public-key with the fingerprint of your new public key.

Finally, delete the old key by running the following command. To use this command, replace serverID with the server ID for your Transfer Family server, replace username with your user name, and replace keyID-from-step-2 with the key ID value that you copied in step 2 of this procedure

If you want to use one key and passphrase for all of your users, you can store the PGP key block information under the secret name aws/transfer/server-id/@pgp-default, where server-id is the ID for your Transfer Family server. This default key is used if there is no key where the user-name matches the user that is executing the workflow.

Alternatively, you can create a key for a specific user. In this case, the format for the secret name is aws/transfer/server-id/user-name, where user-name matches the user that is running the workflow for a Transfer Family server.

If you're creating a default key, that is, a key that can be used by any Transfer Family user, enter aws/transfer/server-id/@pgp-default. Replace server-id with the ID of the server that contains the workflow that has a decrypt step.

If you're creating a key to be used by a specific Transfer Family user, enter aws/transfer/server-id/user-name. Replace server-id with the ID of the server that contains the workflow that has a decrypt step, and replace user-name with the name of the user that's running the workflow. The user-name is stored in the identity provider that the Transfer Family server is using.

The first time a user connects to your SSH or SFTP server, his/her file transfer client may display an alert or notice indicating it doesn't recognize the server's fingerprint. What it's actually referring to is the server's SSH/SFTP key fingerprint, an important security feature that helps users and client applications authenticate SSH/SFTP servers. This post explains how it's used.

Server authentication is a process that allows client applications to validate a server's identity. In other words, it helps a client determine whether it's really connecting to the server it intended to connect to. If the server fails the SSH host key authentication process, then it's possible that the server's host key was simply changed by the admin. That's not a big problem.

However, it could also mean that someone has carried out a spoofing or man-in-the-middle attack and, therefore, the client is likely on the verge of connecting to a malicious server. Now, THAT is a serious problem.

If a user unknowingly logs in to a malicious server, who ever has control of that server could easily acquire that user's login credentials and then use those credentials to gain access to the legitimate server. Secondly, if the unwitting user uploads files to the malicious server, those files will surely fall into the wrong hands. Lastly, if a user downloads files from the server, that user could end up downloading malware.

How do you implement server authentication in SSH/SFTP? Theoretically, you can do this. As a server admin, you can furnish each user a copy of your server's public key. Public keys are supposed to be unique. Everytime a user connects to the server, the server can show the user its public key and the user can then compare that with his local copy. If they match, the user knows he's connecting to the right server.

There is however one problem with this method. Public keys are quite lengthy. So lengthy that it would be impractical for anyone to manually compare two copies. Your server authentication process will be time consuming.

A better way of carrying out server authentication when using SSH/SFTP is by inspecting the public key fingerprint. A fingerprint in this context is basically a hash function of a public key. Simply put, it's a shorter equivalent of the public key. If you're not familiar with how hashes work, I suggest you read the post "Understanding Hashing" first.

The first time a user connects to your SSH/SFTP server, he'll be presented with your server's fingerprint. To verify, the user can contact you and you can then dictate to him your record of the fingerprint. If they match, the user can then store that fingerprint for future login sessions. Most SSH/SFTP clients allow users to save fingerprints.

Once a fingerprint is saved, the client can automatically look up that fingerprint every time it connects to an SFTP server. If a match is made, the client will know it's connecting to a server it had already connected to before.

It's therefore very important to make sure all fingerprints the client saves have already been manually verified. If you accept a fingerprint without verifying, especially if you're connecting to a remote server, you might end up storing a fingerprint of a malicious server.

What if you're an admin but don't know what your server's fingerprint is? Don't look so surprised. These things happen you know. The quickest way to obtain it would be to login to your SSH/SFTP server from a locally installed client application, i.e. installed on the same machine as your server. That way, you can be absolutely sure you're safe from man-in-the-middle attacks.

If your server runs on Windows or another GUI-based operating system, then you can install an SFTP client like AnyClient and connect to the server (again, locally). You should then see something like this:

In some SFTP servers, you'll have to export the public key in OpenSSH format for this to work. In JSCAPE MFT Server, go to Server > Key Manager > Server Keys. Select the server key, click Export > Public key.

You should get an SSH host key fingerprint along with your credentials from a server administrator. Knowing the host key fingerprint and thus being able to verify it is an integral part of securing an SSH connection. It prevents man-in-the-middle attacks.

Instead you can ask anyone else who has a physical access to the server or who already knows the host key. The host key is only one and hence the same for all users. Also note that the host key fingerprint is generated from a public key part of the host key only. So it is not secret and can be safely sent over unencrypted (yet trusted) communication channels.

If you do not have anyone else to obtain the fingerprint from, you may need to connect to the server without knowing the fingerprint. Before connecting for the first time, ensure a security of your local machine and a line to the server. For example if you plan to connect to the server from an external site (e.g. from home or a client), but you have a physical access to the server site, connect from the server site the first time (e.g. your workplace).

A special case is getting host key of a server, that you are an administrator of yourself, yet you do not have a direct secure line to connect through. This is common for virtual servers or servers in a cloud. In such case a server provider should have a specific solution. For example a specialized server in the same private network as your server, with publicly known host keys. You can connect to this specialized server and from it, securely connect to your server (e.g. using SSH terminal). As you are connecting within private network, you can safely trust any host key. Once connected to your server, acquire its host key. With that you can finally connect directly yet securely over a public network. Alternatively, the server provider can provide the host key via some administrative interface. For example see a solution for Amazon EC2, Google Compute Engine or Microsoft Azure.

SSH authenticates you using public-key cryptography. You create a pair of keys: a private key that resides on your client computer and a public key that your dropbox server uses. Both keys have to be in place for your computer to connect to your dropbox.

SFTP also protects against password sniffing and man-in-the-middle attacks. It protects the integrity of the data using encryption and cryptographic hash functions, and autenticates both the server and the user. 2ff7e9595c