Menu
When I connect a SFTP server from a client, I only need to provide to the client software the private key, not the public key. I don't know how this works, because from [1] and [2], both requires the client software also know the public key.
My understanding of how SFTP work is
setup
client: generate private/public key pairs.
client: send public key to server
server: add this public key to its authorized keys list
during connection
client: tell server the public key
server: check if the public key is authorized, if not, refuse, otherwise, send a random session id to client
client: client use private key to encode the random session id and send to server
server: decode it by the public key and confirm the identity.
In this case, the client requires public key. However, I didn't provide this but SFTP client still able to connect the sever. So how this SFTP protocol really works?
[1] http://www.openssh.org/txt/rfc4252.txt
[2] https://www.eldos.com/security/articles/1962.php
731
SSH in SFTP Servers is an encrypted network protocol that uses public key cryptography to create a more secure method to authenticate a client's identity and rights to access a server.
Connecting with SSH private/public key pair - does not require any manual authentication, the SFTP server will store the public key and a client that wishes to connect will be given a private key. When connecting, the systems confirm matching keys to automatically authenticate.
How public key authentication works. SFTP authentication using private keys is generally known as SFTP public key authentication, which entails the use of a public key and private key pair. The two keys are uniquely associated with one another in such a way that no two private keys can work with the same public key.
To authenticate using SSH keys, a user must have an SSH key pair on their local computer. On the remote server, the public key must be copied to a file within the user's home directory at ~/. ssh/authorized_keys . This file contains a list of public keys, one-per-line, that are authorized to log into this account.
While @Pascal Cuoq's comment is the correct answer, it is only half of the answer, since Actually, the client does need a public key - but only the server's public key, and you already have that in your known_hosts file.
If you don't - you are asked to trust the one the server is presenting on your first connection to the server. This is a thing that most people overlook completely. If you are DNS-poisoned (or there is some other form of Man-in-the-Middle attack ongoing) during the first connection - or don't pay attention to Server identity has changed notifications - you are vulnerable to MitM attacks.
116
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
