SFTP Authentication Methods (SSH Keys, Passwords or Host Based)

SFTP Authentication Methods Explained (SSH Keys, Passwords or Host Based). First of all FTP or File Transfer Protocol has been the standard for network file transfer for a long time. Whilst convenient and easy to use, FTP server has crucial security vulnerabilities. In situations when we require strict security and network file transfers that are access controlled, a more viable alternative is SFTP. Organizations use it to achieve secure network data transfers.

Unlike FTP, the SFTP or Secure File Transfer Protocol, uses a single channel for both data and communication and fully encrypts the data stream. That leads to more secure transfers and the ability to enforce access control.

First of all, we will take a look at the SFTP protocol and some of the standard authentication methods that can be employed with the SFTP.

Let’s continue with SFTP Authentication Methods Explained (SSH Keys, Passwords or Host Based). 

Understanding SFTP

To understand the SFTP, we have to understand Secure Shell Protocol or SSH. A preferred shell protocol allows for the establishment of a secure connection to a shell account in a server or remote machine. Significantly SSH uses public key encryption to create a complete secure data stream. This is used to facilitate reliable user authentication and communication between machines. The latest iteration, SSH2, is the support system that SFTP is based on.

Following on that SFTP expands on the capabilities of SSH2. By doing so it creates a method of secure, encrypted file transfers. Since it relies on the SSH2 encryption, it has various use cases in organizational IT infrastructures. Simultaneously it gives access controlled and encrypted file transfers between devices. This is crucial bit because it prevents unauthorized users to access  files. Still a necessary step to give you access to certain files for your certain users, purely based on their credentials.

Since it is based on SSH, SFTP is also often expanded as SSH File Transfer Protocol.

Next with SFTP Authentication Methods Explained (SSH Keys, Passwords or Host Based) is to understand authentication. 

Benefits of Authentication

In most use cases that involve a network infrastructure, security is of paramount importance. To ensure tight network security, there is a must to access to a best authentication procedure.

In nutshell security is the primary benefit of authentication. The goal is to create a barrier for entry at the very outset so that unauthorized users do not get access to any information or devices on the network. Through authentication, it’s possible to straightaway filter out all unauthorized traffic so only approved users get valid credentials to access the network resources.

Based on this, a powerful authentication protocol and its features can extract further utility. One major aspect of this is access control, which creates an additional hierarchy within the group of authorized users. All information on the network do not need to be accessible to all users. Furthermore access control allows for the right information to be accessible to the right users. Network administrators sort the information into priority groups and then assign appropriate credentials to user groups with specific access to specific information.

Understanding SSH Key Authentication

Hence SSH and SFTP operate on an authentication model that makes use of public key cryptography. This uses a form of asymmetric cryptography that allows you the use of two separate keys, a public key and a private key. For each user, there is a pair of keys that is unique to that user. The benefit of this approach is not just enhanced security, but also better usability through SSO or Single Sign On. Additionally password less and automated logins from a trusted source.

Authentication Process Flow

Firstly the key pair is created by the user and the two keys form a system of authentication used together. The public key is the key that is sent to the SSH server. User that tries to connect, they firstly receive their public key. After authorization part it is then added to the list of authorized keys. That is first half of the process.

The private key remains exclusively with your user. In essence, this key acts as the proof of identity for your user. After that, for a user to connect via SSH successfully, they must have the private key that is a matched pair to the public key in the SSH server. By matching the private key to the public key, the authentication is complete. Therefore, we can say that the private key establishes identity and enables the authentication process to finish once it’s matched with the public key.

To make it easier, think of the public key as a lock or a group of locks that you can put on one or more machines. The private key is the actual key that can open these locks and grant you access to these machines.

Exploring SFTP Authentication Methods

Let us take a look at a few methods of SFTP authentication, explore their pros and cons, and discuss some of the ideal use cases for each.

Password Authentication

Password Authentication is the simplest and the most common way of SFTP authentication. Regularly used in environments where there is a need for basic access control. In this method, the server administrator creates username and password combinations for individual users. A user can then signs in to the server using their own combination of username and password. If the password matches the user, the user is authenticated and given access.

This method has certain advantages. First of all it is easiest to implement and relatively secure. Thus passwords can be attached to certain minimum criteria, including being of a certain length, containing uppercase and lowercase letters, numbers, and symbols. Therefore they can be set to expire after a certain duration, which encourages users to change them often. The admins can also program in failsafe measures in which access is blocked for a user after a set number of consecutive logins with the wrong password.

Based on this, passwords can be vulnerable to brute force attacks and social engineering attacks. Human error at times leads to the creation of weak passwords, but stringent password policies can also be frustrating for users.

Keyboard Interactive Authentication

Next method is similar to the password authentication system but provides a more complex set of controls for authentication. With keyboard interactive authentication, users have to use a physical or virtual keyboard to provide correct responses to an arbitrary number of questions. These includes multiple passwords or other questions regarding specific users and their personal attributes.

If you think of authentication in terms of a challenge and response sequence, password authentication provides just a single layer of challenge and response. Keyboard interactive authentication is configured to include multiple challenge and response layers to make the process a bit more secure.

Host Based Authentication

This mode of authentication physically binds or links the identity of your user to a particular host machine or IP address. Host names and IP addresses are unique to certain devices and limiting access to those devices can act as a solid security measure. Whenever combined with a password prompt they ensure that there is access control at both ends – on your client side as well as on the server side.

Generally Host based authentication usually starts with a database of known hosts that is created on the server by the administrator. In essence this includes the details of the hosts or IP addresses that are allowed to send a request for connection. When a request comes through from one of the approved hosts, a challenge and response sequence is initiated with a prompt for username and password. If the host is not known to the server, the request is rejected outright and immediately.

Public Key Authentication

In another case this mode of authentication relies on the native authentication of the SSH protocol. A pair of keys- a public key and a private key, are used for the SFTP authentication. Every authorized user generates their own pair of unique keys. The public key then is installed and configured on the server by the administrator. In effect the user reserves the private key for use during login.

Normally the private key is usually saved in some sort of SSH client. When the user tries to log in, the server sends encrypted data packets as the challenge which the client can decrypt and respond to. The advantages of this method are that it is typically more secure than using passwords as the keys are not human generated and you do not need to type it. Overall SSH keys cannot be easily brute forced and the administrator can surely complement this protection by adding in another layer of protection in the form of a password.

Taking this into account, authentication using the public key method is prone to physical violation if someone gains unlawful access to a user’s device.

Kerberos Authentication

Specifically in this case, if the server supports the Kerberos framework, it is possible to use the GSSAPI authentication method. Secure, two way mode of authentication that gives you many advantages over standard authentication techniques. Kerberos authentication is configured in many different ways. Moreover, most use cases employ either a SSO or Single Sign On model or the username, password and domain model.

While Kerberos is only supported on the Windows platform, it’s possible to authenticate clients on a Windows platform to a server based on the UNIX platform using the NTLM feature.

Thank you for reading SFTP Authentication Methods Explained (SSH Keys, Passwords or Host Based). 

SFTP Authentication Methods (SSH Keys, Passwords or Host Based) Conclusion

With a renewed focus on security in recent times, it it even more important to properly secure networks in a strong manner without having to compromise it’s functionality. The SFTP protocol gives an intuitive pathway for network admins to properly configure network security and provide access to the right users.

Understanding these different SFTP authentication methods gives you the information and insight you need to figure out how they can be used in specific network environments. 

Depending on your use case and how much security you need for authentication, you should choose one or more of the methods mentioned here to configure SFTP access in your infrastructure. You can always come around later and multiply layers of protection and use a plenitude of authentication techniques in tandem to create a more secure environment.

Why don’t you take a look at more of our SFT blog content in here.

Avatar for Benjamin Roussey
Benjamin Roussey

Benjamin Roussey is from Sacramento, CA but now lives in Arizona. His bachelor’s degree is from CSUS (1999) where he was on a baseball pitching scholarship and he completed 4 years in the US Navy. He has an MBA in Global Management from the Univ. of Phoenix (2006). He has worked everywhere from small businesses to large corporations, and also for public agencies. He has lived in South Korea and Saudi Arabia where he was an ESL instructor. Now he writes professionally for several clients and many of them in the tech community. He knows these topics well. He’s been focused on the tech arena since 2010. Currently he lives in the Phoenix area. He enjoys sports, movies, reading, and current events when he is not working online.

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x