How does SFTP function without a manually generated public/private key pair

Short answer: there is necessarily a public/private key pair on the server. There may be a public/private key pair on the client, but the server may elect to authenticate clients with passwords instead,

SSH is a generic tunnel mechanism, in which some "application data" is transferred. One such application is the "remote shell" which is used to obtain an open "terminal" on a server, in which terminal applications can be run. Another, distinct application is the file transfer protocol known as SFTP. From the SSH point of view, which application is used is irrelevant. This means that any authentication concept applies equally to SSH (the "remote shell" part) and SFTP.

The server MUST have a public/private key pair. That key is used for the tunnel part, so a server will use the same key pair for all applicative protocols. Most Unix-like operating systems (e.g. Linux) create a SSH key pair when first installed, and will use it thereafter. This means that you don't have to "create a key" when you configure your SSH server to also be used as SFTP: the server already has a key.

A client may have a public/private key pair if it wishes to be authenticated based on that key; this is all about client authentication, i.e. about how the server will make sure that it is talking to the right client. Password-based authentication and key-based authentication are the two most common methods (some servers are configured to require both). By definition, only the key-based authentication requires that the client stores and uses a key pair of its own.


It's able to function because the keypair already exists on the server. The SSH server has the keys necessary to protect the information in transit. SSH server will use a public key, that client device uses the public key to encrypt information sent to the server. The server then uses its private key to decrypt that information and process.

See http://www.slashroot.in/secure-shell-how-does-ssh-work


In SSH, you have two sets of key pairs: one for the server and one for the users.

The server key pair is mandatory but it is typically generated during the installation of the server: all you have to do is validate the server public key fingerprint (a simple hash) and, as long as the key is unchanged, your client will silently connect.

The key pair you use for authenticating, however, can be optional (or disallowed) depending on what authentication method you've decided to allow or require on the server.

The Wiki article on SSH has plenty of juicy details but, to summarise, there are 4 supported authentication mechanism:

  • Password requires a username and password combination
  • Public key requires acess to the private part of the public key you use for authentication (typically, you setup the key pair on the client and just update the server configuration with your public key).
  • Keyboard interactive is mostly used for one-time passwords and similar.
  • GSSAPI, a framework used for implementing other authentication scheme, usually to implement single sign-on (most notably Kerberos)

Tags:

Ssh

File Upload

Related

nginx - How to prevent processing requests with undefined server names with HTTPS Is Google Chrome Extension access to SSL certificate validation output possible? Is it possible to use SSH agent for generic data encryption? Can anyone DDOS my server with jmeter? Do they need a powerful server for that? Securing passwords for REST Authentication Heartbleed: Why does the client supply the length of the message at all? How would you know a certificate/private key if you extracted it from RAM? Or would you? Why does my debit card have a stripe AND a chip? Can malware be attached to an image? Why do we trust organizations that certificate ISO 27001? How to prevent popping up a login dialogue using a malicious hotlinked image and HTTP Basic Auth header? When you buy a certificate, does the certificate authority have (a copy of) the private key?

Recent Posts