Authenticating SSH Key/Certificate

The MFT SSH/SFTP service supports key/certificate authentication. An SSH key is a subset of an X.509 Certificate. Most SSH/SFTP clients use SSH keys and not certificates, so we use the term key authentication when discussing SSH/SFTP.

Prerequisites

SSH key authentication works when the SSH client has a private key defined. Since this is different on each SFTP client, this is not discussed here.

On Linux, you can create a private SSHKey by executing the ssh-keygen command. A public and private key are created in the users home directory in the .ssh sub-directory. The SSH public key that needs to be associated with the user generally has a suffix of .pub.

Procedure

  1. Configure the SSH Service to support certificate authentication.
    1. Navigate to Administration > System Configuration
    2. Open the Global SSH Server Settings box.
    3. Set the SSH Client Authentication Method to one of the following options:
      • Key/Certificate Only: SFTP clients must use key authentication
      • Key Certificate or Password: Platform Server clients can use password or key authentication
      • Key/Certificate and Password: Platform Server clients must use password and key authentication

      Setting one of these three options prompts the SSH service to request a key from the client.



  1. Restart the SSH service on each Internet Server where the SSH service is enabled.
    1. Navigate to Administration > Transfer Servers > SSH Server > SSH Server Status
    2. Open the box for the SSH Server Host to restart.
      • Click Stop Server to stop the service.
      • ClickStart Server to start the service.



  1. Log on to the Internet Server or Command Center Admin console.
    1. Navigate to Administration > Protocol Keys > Add Public Key.
    2. Set the Public Key Type to SSH Public Key.
    3. Set Apply Key to to User.
    4. Select the user to associate with the certificate.
    5. Set Status to Enabled.
    6. Set Description to a unique descriptive value.
    7. Copy/paste the certificate into the Enter the X.509 Certificate in the box below input field.
      Note: Two formats of SSH Keys are supported: 
      ---- BEGIN SSH2 PUBLIC KEY ----
Comment: "ssh-rsa pubkey for 127.0.0.1"
. . . . . . . . . . . . 
. . . . . . . . . . . . 
. . . . . . . . . . . . 
---- END SSH2 PUBLIC KEY ----

      Or, 

      ssh-rsa 
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
sshuser@host.name
    8. Click Continue.


      The Add Public Key Confirmation page is displayed.
    9. Review the information and click Continue.
      The key is added to the server and associated with the defined user.
  2. Navigate to Users > Manage Users and select the user that requires certificate authentication.
    1. Set SSH Client Authentication Method to Certificate Only.
    2. Click Update to save the changes.


Result

When an SFTP client connects to the Internet Server, the Internet Server requests a certificate from the SFTP client. It verifies the certificate against the SSH certificates added in prior steps. If a match is found, the logon request is successful. If a match is not found, the logon request fails.