Secure File Transfer Protocol (SFTP) Authentication

Overview

Secure File Transfer Protocol (SFTP) is one of the more secure network protocols when sending files over the internet. Unlike FTP, where files travel over the internet without encryption, SFTP encrypts data in transit.

One aspect of this protocol that makes it so secure is that it uses an SSH public/private key pair or a password to authenticate a client. Authentication prevents unknown or unallowed clients from connecting to a host or server. Once an SFTP server authenticates a client, SFTP encrypts, then transfers the requested files.

What You'll Learn

In this article, you'll learn:

How SFTP Authentication Works

There are two methods of SFTP authentication: password authentication and SSH key authentication. Inbound SFTP connections to an Unqork Environment must use an Amazon Web Services SFTP Gateway and SSH key authentication. But the server you want to connect with might need password authentication too. Outbound SFTP connections can use password or SSH key authentication.

Password authentication is simple to set up. The server administrator creates a username and password for the client connecting to the host or server. The host or server prompts the client to enter the password when they want to connect. As long as the username and password are correct, the client can access the host or server. The primary drawbacks with password authentication are weak passwords and password enforcement, human error, password expiration, and brute-force attacks.

SSH key authentication offers more security than password authentication. With SSH key authentication, a host or server generates a public/private key pair. Then the administrator assigns the public key to the client and logs the private key in the host or server that transfers the files. When a client requests a file, the host or server authenticates by verifying that the public key matches the private key. If the keys don’t match, the client isn’t allowed access to the file. Once the host or server authenticates the client, traffic can flow both ways.

Public and private keys are easy to distinguish. Public keys are much shorter than private keys. Public key headers also begin with the type of encryption, for example, ssh-rsa.

Copy
Example public key:
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABgQCzlT7d5fvbwo1alxI39WZJzCi2xOc4kyX0GrNPOSqVFpJulRr59UT
U0eb7+PdZ++rTtxiyUT5KBkJ9fcgtHv/TlFOz7WNpkl9G07hBDUZiwdhF/M1ho72DuGlURwEaSk4P2HCR6H
tJ3sG/Xtvd8yZKROln+hde4m7CKffR6JAG14FOFfQqXipWWnOFVgGeXi/bGjNzy2dcXr0JV4JBkgAbJK2LB
kXZ3bz2g57ltwOEmO9kmYPscIx8/XPXcKb+cuguxjgvim0gkG6kc7h2fxAfCWY/VKUkuiFwFg4fXRNNBKCZ
IDocklmRpD2ZUt1ozX3W+g1x3U4+fjbIKxvyayUmplJyS6w3rncaZOyfYM6I2TsVSETAGD5pk7NcYfw/ngA
E+sk/sAmxPmX0X0voIdddJxC7MhFCj6U5p48rRqzgSDo0XcqXOrPlh8bvu62PqPxKOpbrqIkGUmrQ3G+HhD
XahM5HD8686YFQ0vGYhNqw2lj6WK2Jt+rT/5Zay8Onduc= user@Walter-White-MacBook-Pro.local

Private key headers begin with text that says it’s a private key, for example-----BEGIN OPENSSH PRIVATE KEY-----.

Copy

Example private key:

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAs5U+3eX728KNWpcSN/VmScwotsTnOJMl9BqzTzkqlRaSbpUa+fVE
1NHm+/j3Wfvq07cYslE+SgZCfX3ILR7/05RTs+1jaZJfRtO4QQ1GYsHYRfzNYaO9g7hpVE
cBGkpOD9hwkeh7Sd7Bv17b3fMmSkTpZ/oXXuJuwin30eiQBteBThX0Kl4qVlpzhVYBnl4v
2xozc8tnXF69CVeCQZIAGyStiwZF2d289oOe5bcDhJjvZJmD7HCMfP1z13Cm/nLoLsY4L4
ptIJBupHO4dn8QHwlmP1SlJLohcBYOH10TTQSgmSA6HJJZkaQ9mVLdaM191voNcd1OPn42
yCsb8mslJqZSckusN653GmTsn2DOiNk7FUhEwBg+aZOzXGH8P54ABPrJP7AJsT5l9F9L6C
HXXScQuzIRQo+lOaePK0as4Eg6NF3Klzqz5YfG77utj6j8SjqW66iJBlJq0Nxvh4Q12oTO
Rw/OvOmBUNLxmITasNpY+litibfq0/+WWsvDp3bnAAAFqP4SmRH+EpkRAAAAB3NzaC1yc2
EAAAGBALOVPt3l+9vCjVqXEjf1ZknMKLbE5ziTJfQas085KpUWkm6VGvn1RNTR5vv491n7
6tO3GLJRPkoGQn19yC0e/9OUU7PtY2mSX0bTuEENRmLB2EX8zWGjvYO4aVRHARpKTg/YcJ
Hoe0newb9e293zJkpE6Wf6F17ibsIp99HokAbXgU4V9CpeKlZac4VWAZ5eL9saM3PLZ1xe
vQlXgkGSABskrYsGRdndvPaDnuW3A4SY72SZg+xwjHz9c9dwpv5y6C7GOC+KbSCQbqRzuH
Z/EB8JZj9UpSS6IXAWDh9dE00EoJkgOhySWZGkPZlS3WjNfdb6DXHdTj5+NsgrG/JrJSam
UnJLrDeudxpk7J9gzojZOxVIRMAYPmmTs1xh/D+eAAT6yT+wCbE+ZfRfS+gh110nELsyEU
KPpTmnjytGrOBIOjRdypc6s+WHxu+7rY+o/Eo6luuoiQZSatDcb4eENdqEzkcPzrzpgVDS
8ZiE2rDaWPpYrYm36tP/llrLw6d25wAAAAMBAAEAAAGAbLSgHIRV494t4LNoBNWYeH2L+6
7PZFC2fcAX4JHzM9I5C5VYggw1ATqaPtajLCYxLL09xtslAHwvjXUxUhbctz+nN1gwgDxp
Th9k/oPBopBCkYMI89zBIFXl9G0Svs5R2IelBL2cu8eKsoQCRaUk/Xofa6BYu0gH0aLD75
1+aZXUIOdrKKZdrG4OVZ0NV8cd4txGXwa2Z5S1i00cfQKa69NU9b3zVIFEHFjqO5WAHKjS
6KuAzwQGFrb5g2UewRHec8NIBANzJ/zKc0BGbQT+U2Zkn4mg7CcK3E0qUbBzDV6wtN59Xp
KYGPFNxLq4K6hQdbH/M8mQpXjG/HVLsYugzt5EQBsVRE16B1LtbPe2Sz7jbZhs4SdwcONN
-----END OPENSSH PRIVATE KEY-----

Never provide your private key to a third-party. You should store your private key in a secure location with limited access. Treat your private key the same way you treat any of your personal passwords.

If your host or server generates the key pair, you must provide the public key to the client that wants to connect to it. If the host or server you want to connect to generates the key pair, the server administrator must provide you with the public key. In other words, if you make the connection, you generate the key pair, use the private key, and provide the client with the public key. If you receive the connection, the server administrator generates the key pair, uses the private key, and provides you with the public key.

For more information on SFTP Integration with your Unqork application, search for Secure File Transfer Protocol (SFTP) Integration in our In-Product Help.

Troubleshooting SFTP Authentication Issues

Try these actions to troubleshoot SFTP authentication issues:

  • Restart your server.

  • Confirm you are using the correct key. If your error says Public key does not match private key, then one of the keys is incorrect.

  • Confirm the connection port is correct. SFTP typically occurs over port 22.

  • Confirm the host or server you are connecting to supports the authentication method you are using. It might require a password, public key, or both.

  • For public key authentication, provide a copy of the public key to the server’s administrator. The server administrator must add the public key to the server's trusted list.

  • If the server administrator created a public key for you, be sure to replace your existing key with the provided public key.

If your Unqork Environment can’t make a connection to your desired host or server, you might need to provide Unqork with approximate times that you attempted to connect so Unqork can review access logs.