SFTP and certificates

Question

Hi,
Just to make sure I'm understanding this correctly: the main difference (when doing server validation) between FTPS and SFTP is that the client needs the server's certificate with FTPS but only the public key with SFTP. This public key is derived from a certificate on the server, and needs to be in SSH (or SECSH) format.

I'm connecting to a test server with ServerValidation set to Automatic and by adding a public key file to known hosts as follows: ((SecureFTPConnection)ftpClient).KnownHosts.AddKnownHost(publishConfig.Host, publicKeyFile);

The only way I've managed to successfully connect is with a lot of exporting/converting to get the public key from the certificate (that the server is using), and into the correct format. I'm a bit confused, though, because in your documentation, certificates are really only mentioned under FTPS, but SFTP is only concerned with the server's public key.

I guess my question is, am I on the right track here?
And what exactly is the server's public key in an SFTP context? Should it not be easy to get the public key?

Thanks in advance,
Graeme

Answer 1

Yes, for SFTP you need the server's public key.

A certificate is used for FTPS. It contains a public key, but also contains information linking that public key to a company's details. If the one server supports FTPS and SFTP, it will probably use different public keys for SFTP and the FTPS certificate (but not necessarily).

It is normally easy to get an SFTP server's public key - it is always sent to you when you first connect. If you use a command line tool such as ssh, it will save the server's public key in a known_hosts file. Note however that this isn't really the recommended way of getting it, as the whole point is to have a valid, known public key you compare with the one sent by the server. So normally you should get it directly off the server or from the server admin.

Answer 2

Thanks for your prompt reply!

So, just to clarify, the server's public key is not in any way linked to a certificate, although it can be set up to use the same public key for both the server and the certificate?

For testing purposes, then, if the server is local then presumably it's safe to get the public key in the way you described because one knows that it's the correct server, right?

When you say "get it directly off the server", how exactly do I do that? I'm using Complete FTP as my SFTP server.

Regards

Answer 3

If you are using CompleteFTP it is easy to obtain it via the CompleteFTP manager.

Connect to the server with the manager, and go to the settings. SFTP/SCP -> Advanced SFTP/SCP Settings ->RSA Key (or DSA Key).

The ellipsis (...) allows you to export the public key of the server in 3 different formats.

Note - SFTP servers generally have *two* public keys - an RSA key and a DSA key. You can use either one to connect to the server - it depends what the client specifies. So you may want both.