How to use SFTP (with client validation - public key authentication)

The topic How to use SFTP (with client validation - password authentication) discusses the simplest form of client authentication, via password.

In public key authentication, SSH clients and servers authenticate each other via public/private key pairs. Each must have access to their own private key, and they must have access to each other's public key (unless server validation is disabled).

You should ensure that the server's public keys are loaded by the client as described in How to use SFTP (with server validation - known hosts), or you may want to switch off server validation to get started.

The client's public key must be registered with the SSH server, typically by copying it into the server's authorized_keys file.

The client's private key is loaded via SSHFTPClient's setAuthentication method before calling connect, supplying the full path of the private key file, the SSH username and the passphrase of the private key file:

ftp.setAuthentication("C:\\myhome\\.ssh\\id_rsa", username, passphrase);

Both DSA and RSA keypairs can be used.

There are no formal standards for SSH private key files, however three main formats are in common use. All are supported by edtFTPj/PRO (PuTTY since version 1.5.7).

Private Key Type Start of key
OpenSSH -----BEGIN DSA PRIVATE KEY-----
SSH.com ---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
PuTTY PuTTY-User-Key-File-2:>

The format is automatically detected when the file is loaded.

Note that earlier versions of edtFTPj/PRO (prior to 1.5.7) do not support PuTTY keys, but they can be easily converted into SSH.COM or OpenSSH formats via PuTTYgen. The PuTTYgen.exe utility can be freely downloaded from here. It is a simple GUI application that can generate keypairs, and import and export keys in various formats.

On the File menu item, select Load Private Key and load your PuTTY private key file. You can optionally enter your key's passphrase (which is advisable - otherwise the converted key will be saved without a passphrase, which is insecure). Then via Conversions -> Export OpenSSH key you can export your private key to another file in OpenSSH format (similarly for ssh.com format).

The other authentication method, keyboard-interactive authentication, is discussed in How to use SFTP (with client validation - keyboard-interactive authentication).