 |
|
|
|
How to use SFTP (with server
validation - public key files) |
|
|
|
|
As
discussed in How to use SFTP (with
server validation - known hosts), SFTP clients can
validate servers by loading a list of approved servers and their public
keys, and checking the
server key against this list. The list is generally maintained in a
file called known_hosts.
In SSHFTPClient, server validation is always
enabled by default - it must
be explicitly disabled as described in How to use SFTP (without
server validation).
Server public keys can also be
maintained in their own individual key files and be used for server
validation without adding them to the known_hosts
file. The SSHFTPValidator supports
explicitly adding server public keys.
The addKnownHost
method
requires the hostname and the public key file, as shown below:
Note
that the server may
send back an RSA key or a DSA key. If the key file contains a DSA key for the host, and an RSA key is returned, server validation will fail.
The server can be forced to send back a particular type of key as
described in How
to use SFTP (choosing algorithms).
SSH
public key files have two standard formats - OpenSSH and
SECSH. edtFTPj/PRO
supports both these public key formats. Formats can be recognized by
their first line as shown
in the table below:
|
Public key type
|
Start of first line
|
|
OpenSSH
(DSA)
|
ssh-dss
AAAAB3NzaC1kc3MAA ...
|
|
OpenSSH
(RSA)
|
ssh-rsa AAAAB3NzaC1yc2EAA ...
|
|
SECSH
|
---- BEGIN SSH2 PUBLIC KEY ----
|
You
can convert between OpenSSH and
SECSH using OpenSSH's ssh-keygen (which by
default generates OpenSSH keys).
For example, to convert an OpenSSH
public key generated by ssh-keygen to SECSH for use
in a commercial SSH server, use:
ssh-keygen -f keyfile -e >
keyfile.secsh