SFTP - retrieving the public key from the server

Question

SFTP - retrieving the public key from the server

asked Jun 25, 2012 in .NET FTP by kfarah (540 points)

When I was researching how to programmatically validate server keys I could of sworn I read something that said EDT had a tool to connect directly to the host and retrieve the server public key independent of the actual SFTP connection. I can't seem to find that now. Does such a tool exist? I'm trying to figure out a secure way to validate server keys for connections without involving humans in the loop. We accept datafeeds from hundreds of clients what we'd like to do is be able to also go to their SFTP server and fetch feeds since some clients prefer that. We have found though that asking clients for IP addresses and keys is problematic so we'd like to be able to take credentials and hostnames provided to us from the clients and handle everything else on our end for validation.

Thanks,
Kathy

5 Answers

support2 · Answer 1 · 2012-06-25T21:03:43+0000

You can do this by setting the server validation to callback, which allows you to intercept the key and add it to a file or wherever.

See http://www.enterprisedt.com/products/ed ... sfile.html

kfarah · Answer 2 · 2012-06-25T21:41:36+0000

Is this the most secure way to do it? I am currently doing this but I saw another forum question that stated it would be better to go the server directly and get the key prior to the first connection. I was thinking of adding a step when the client enter's the credential information in our web site to go off and get the server key and add it to our hosts file.

http://www.enterprisedt.com/forums/view ... light=sftp

support2 · Answer 3 · 2012-06-26T23:05:03+0000

The most secure way is to distribute the server's public key securely by other means. The public key stored on the client is supposed to match that of the server when you connect to it - so if you connect, and then store the public key to verify subsequent connections, you have only guaranteed that you are connecting to the same server each time - and not that it is the server you expect. This is particularly important if you are connecting over the Internet and have reason to believe the server might be compromised.

Practically, most clients display the public key when it is first encountered and leave it up to the user to decide if the public key should be accepted.

kfarah · Answer 4 · 2012-06-26T23:23:07+0000

Unfortunately I can't display it to the user since this is meant to be an automated process run on a scheduler. Thanks for the help though :)

Kathy

support2 · Answer 5 · 2012-06-27T09:52:44+0000

Most people in these circumstances will just add the key to known_hosts on the fly, i.e. the first time you connect to a host.

SFTP - retrieving the public key from the server

Please log in or register to add a comment.

Please log in or register to answer this question.

5 Answers

Please log in or register to add a comment.

Please log in or register to add a comment.

Please log in or register to add a comment.

Please log in or register to add a comment.

Please log in or register to add a comment.

Categories