How to Set Up a Public Key Authentication for SFTP

How to Set Up a Public Key Authentication for SFTP. In this post, we introduce the SSH server, and its working principle then walk you through the process of setting up a public key authentication for SFTP.

SFTP offers a public key authentication for ssh client authentication. Using this method users log in to the SFTP service without providing a password authentication. System administrators often use this setup for file transfer automation.

What is SSH?

OpenSSH server is quite simple to install and supports a private key and a public key for authentication between two hosts. It is compatible with several platforms, such as Linux, Unix based systems, and even Windows. For secure communications and file transfers, the tool also provides strong encryption algorithms. The encryption and authentication options protect the confidentiality of your data during rest or transmission over an unsecured network.

It also comes with port forwarding and tunnelling capabilities that help access remote services and resources without getting exposed to security risks. Even create remote backups and exchange files securely between two hosts. It offers robust security, several authentication options, and other features for secure file transfers and remote access. Additionally, visit the active community support via security web forums.

The server daemon and client tools provided by OpenSSH effectively replace the legacy technologies by enabling secure, encrypted remote control and file transfer activities. SSH open source version is available as a source code in the form of precompiled binaries under a BSD license. End user assistance is not offered by the project team, however, community based support is offered via a number of security web forums (on a voluntary basis).

How Does SSH Work?

Here is a quick overview of how the OpenSSH server operates.

First and foremost, as and when a client tries to establish a connection with the OpenSSH server, the server uses different authentication techniques to verify the client’s identity. It may use a public key authentication technique, password based authentication, or certificate based authentication to cross check the user’s identity.

Once the tool verifies the client’s identity, an encrypted communication channel is established between the server and the client based on the type of client tool connecting. Let’s say, the remote computer gets connected via the ssh client application, after verifying the client identity, the OpenSSH server establishes a remote control session. Similarly, if the connection is established with SCP, after authentication, a secure file transfer between the server and client is started by the OpenSSH server daemon.

The encryption ensures that all your transmissions are secure and safe from tampering or eavesdropping. Next step is setting up a session for the client so that he/she can execute commands on the server or exchange files. This session further allows clients to perform additional remote management operations.

As the OpenSSH server receives a command, it immediately executes on the operating system of the server. After execution, the server forwards the result or output back to the client. Apart from command execution, the server also supports quick file transfers between clients and the server. There are different commands that facilitate secure file transfers.

How to Set Up a Public Key Authentication for SFTP

In this section, we show you how to set up a public key authentication for the SFTP server.

Install SSH Server

Before starting, you need to install an SSH package and set up an SFTP server on the server machine. First, install an SSH package using the following command.

					apt install ssh -y

After the SSH package installation, start and enable the SSH service using the following command.

					systemctl start ssh
systemctl enable ssh

Create an SFTP User

Next, create an SFTP user to connect to the SFTP server. Let’s create a user called user1 using the following command.

					adduser user1

Set the user’s password as shown below.

Next, create some files inside the user’s home directory.

					touch /home/user1/file1.txt
touch /home/user1/file2.txt

Then, set proper ownership to both files.

					chown -R user1:user1 /home/user1/file1.txt
chown -R user1:user1 /home/user1/file2.txt

Next, go to the client machine and connect to the SFTP server using the following command.

					sftp user1@your-sftp-ip

After providing your user’s password, you see the SFTP shell in the following shell.

Next, exit from the SFTP with the following command.

					sftp> exit

As you can see, you need to provide an SSH password to connect the SFTP server.

Create an SSH Key on Client Machine

Next, create an SSH public and private key on the client machine. Run the following command to generate an SSH key.

					ssh-keygen -t rsa

You will see the following screen.

Then, verify the generated keys with the following command.

					ls -l .ssh/

You see all keys in the following output.

					-rw------- 1 root root 0 Jun 1 2022 authorized_keys
-rw------- 1 root root 2590 Jul 31 13:25 id_rsa
-rw-r--r-- 1 root root 564 Jul 31 13:25
-rw------- 1 root root 978 Jul 31 13:24 known_hosts
-rw-r--r-- 1 root root 142 Jul 31 13:24 known_hosts.old


Copy SSH Key to the SFTP Server

After generating the SSH key, copy the SSH public key to the SFTP server. First, go to the SFTP server machine and login with user1.

					su - user1

Next, create an SSH directory and set proper permission.

					mkdir .ssh
chmod 700 .ssh

Then, create an authorized key file and set proper permission.

					touch .ssh/authorized_keys
chmod 700 .ssh/authorized_keys

Next, run the following command on the client machine to copy SSH public key to the SFTP server.

					ssh-copy-id user1@your-sftp-ip

After copying the SSH key to the SFTP server, you will see the following screen.

Once you are finished, you can proceed to the next step.

Enable SFTP Key-based Authentication

By default, the password based authentication is enabled in your SSH server. So, you need to enable the key-based authentication on the SSH server.

Go to the SFTP server and edit the SSH main configuration file.

					nano /etc/ssh/sshd_config

Change the following lines.

					PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no

Save and close the file when you are done. Then restart the SSH service to implement the changes.

					systemctl restart ssh

Verify SFTP Public Key Authentication

At this point, the SFTP server is configured to connect using the public key. Now, its time to test it. On the client machine, open the FileZilla FTP client and create a new connection. See the following screen.

Provide your SFTP server IP, port, username then click on the Connect button. You will be connected to the SFTP server without password as shown below.

SFTP also allows you to connect your SFTP server via command line without providing a password. To do so, open your terminal interface and run the following command.

					sftp user1@your-sftp-ip

After the successful key-based authentication, you will get into the SFTP shell as shown below.

Now, run the following command to exit from the SFTP shell.

					sftp> exit

How to Set Up a Public Key Authentication for SFTP Conclusion

In this post, we have set up an SFTP server and created an SFTP user. We also created an SSH key on the client machine and transfer it to the SFTP server for key-based authentication. Then, we verify the SFTP public key authentication via the FileZilla FTP client.

SFTP works in a client server architecture and uses public key authentication to protect data from fraudsters. With the help of SFTP, organizations securely exchange data across different systems over a reliable network connection. If you are looking for a protocol that maintains the confidentiality of your data during transfers, we recommend SFTP.

Avatar for Hitesh Jethva
Hitesh Jethva

I am a fan of open source technology and have more than 10 years of experience working with Linux and Open Source technologies. I am one of the Linux technical writers for Cloud Infrastructure Services.

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x