Secure File Transfer Protocol (SFTP) is one of the more secure network protocols when sending files over the internet. Unlike FTP, where files travel over the internet without encryption, SFTP encrypts data in transit.
This protocol uses an SSH public/private key pair or a password to authenticate clients. Authentication prevents unknown or unauthorized clients from connecting to a host or server. Once an SFTP server authenticates a client, it encrypts and transfers the requested files.
How SFTP Authentication Works
There are two methods of SFTP authentication: password authentication and SSH key authentication. Inbound SFTP connections to an Unqork Environment must use an Amazon Web Services SFTP Gateway and SSH key authentication. However, the server you want to connect to might also require password authentication. Outbound SFTP connections can use password or SSH key authentication.
Password authentication is simple to set up. The server administrator creates a username and password for the client connecting to the host or server. The host or server prompts the client to enter the password when connecting. As long as the username and password are correct, the client can access the host or server. The primary drawbacks of password authentication are weak passwords and password enforcement, human error, password expiration, and brute-force attacks.
SSH key authentication offers more security than password authentication. With SSH key authentication, a host or server generates a public/private key pair. Then the administrator assigns the public key to the client and stores the private key on the host or server that transfers the files. When a client requests a file, the host or server authenticates by verifying that the public key matches the private key. If the keys don't match, the client can't access the file. Once the host or server authenticates the client, traffic can flow both ways.
Public and private keys are easy to distinguish: public keys are much shorter than private keys. Public key headers also begin with the type of encryption, for example, ssh-rsa.
Example Public Key:
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABgQCzlT7d5fvbwo1alxI39WZJzCi2xOc4kyX0GrNPOSqVFpJulRr59UT
U0eb7+PdZ++rTtxiyUT5KBkJ9fcgtHv/TlFOz7WNpkl9G07hBDUZiwdhF/M1ho72DuGlURwEaSk4P2HCR6H
tJ3sG/Xtvd8yZKROln+hde4m7CKffR6JAG14FOFfQqXipWWnOFVgGeXi/bGjNzy2dcXr0JV4JBkgAbJK2LB
kXZ3bz2g57ltwOEmO9kmYPscIx8/XPXcKb+cuguxjgvim0gkG6kc7h2fxAfCWY/VKUkuiFwFg4fXRNNBKCZ
IDocklmRpD2ZUt1ozX3W+g1x3U4+fjbIKxvyayUmplJyS6w3rncaZOyfYM6I2TsVSETAGD5pk7NcYfw/ngA
E+sk/sAmxPmX0X0voIdddJxC7MhFCj6U5p48rRqzgSDo0XcqXOrPlh8bvu62PqPxKOpbrqIkGUmrQ3G+HhD
XahM5HD8686YFQ0vGYhNqw2lj6WK2Jt+rT/5Zay8Onduc= user@Walter-White-MacBook-Pro.localPrivate key headers begin with text that says it's a private key, for example, -----BEGIN OPENSSH PRIVATE KEY-----.
Example Private Key:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAs5U+3eX728KNWpcSN/VmScwotsTnOJMl9BqzTzkqlRaSbpUa+fVE
1NHm+/j3Wfvq07cYslE+SgZCfX3ILR7/05RTs+1jaZJfRtO4QQ1GYsHYRfzNYaO9g7hpVE
cBGkpOD9hwkeh7Sd7Bv17b3fMmSkTpZ/oXXuJuwin30eiQBteBThX0Kl4qVlpzhVYBnl4v
2xozc8tnXF69CVeCQZIAGyStiwZF2d289oOe5bcDhJjvZJmD7HCMfP1z13Cm/nLoLsY4L4
ptIJBupHO4dn8QHwlmP1SlJLohcBYOH10TTQSgmSA6HJJZkaQ9mVLdaM191voNcd1OPn42
yCsb8mslJqZSckusN653GmTsn2DOiNk7FUhEwBg+aZOzXGH8P54ABPrJP7AJsT5l9F9L6C
HXXScQuzIRQo+lOaePK0as4Eg6NF3Klzqz5YfG77utj6j8SjqW66iJBlJq0Nxvh4Q12oTO
Rw/OvOmBUNLxmITasNpY+litibfq0/+WWsvDp3bnAAAFqP4SmRH+EpkRAAAAB3NzaC1yc2
EAAAGBALOVPt3l+9vCjVqXEjf1ZknMKLbE5ziTJfQas085KpUWkm6VGvn1RNTR5vv491n7
6tO3GLJRPkoGQn19yC0e/9OUU7PtY2mSX0bTuEENRmLB2EX8zWGjvYO4aVRHARpKTg/YcJ
Hoe0newb9e293zJkpE6Wf6F17ibsIp99HokAbXgU4V9CpeKlZac4VWAZ5eL9saM3PLZ1xe
vQlXgkGSABskrYsGRdndvPaDnuW3A4SY72SZg+xwjHz9c9dwpv5y6C7GOC+KbSCQbqRzuH
Z/EB8JZj9UpSS6IXAWDh9dE00EoJkgOhySWZGkPZlS3WjNfdb6DXHdTj5+NsgrG/JrJSam
UnJLrDeudxpk7J9gzojZOxVIRMAYPmmTs1xh/D+eAAT6yT+wCbE+ZfRfS+gh110nELsyEU
KPpTmnjytGrOBIOjRdypc6s+WHxu+7rY+o/Eo6luuoiQZSatDcb4eENdqEzkcPzrzpgVDS
8ZiE2rDaWPpYrYm36tP/llrLw6d25wAAAAMBAAEAAAGAbLSgHIRV494t4LNoBNWYeH2L+6
7PZFC2fcAX4JHzM9I5C5VYggw1ATqaPtajLCYxLL09xtslAHwvjXUxUhbctz+nN1gwgDxp
Th9k/oPBopBCkYMI89zBIFXl9G0Svs5R2IelBL2cu8eKsoQCRaUk/Xofa6BYu0gH0aLD75
1+aZXUIOdrKKZdrG4OVZ0NV8cd4txGXwa2Z5S1i00cfQKa69NU9b3zVIFEHFjqO5WAHKjS
6KuAzwQGFrb5g2UewRHec8NIBANzJ/zKc0BGbQT+U2Zkn4mg7CcK3E0qUbBzDV6wtN59Xp
KYGPFNxLq4K6hQdbH/M8mQpXjG/HVLsYugzt5EQBsVRE16B1LtbPe2Sz7jbZhs4SdwcONN
-----END OPENSSH PRIVATE KEY-----Never provide your private key to a third-party. Store your private key in a secure location with limited access. Treat your private key like any personal password.
If your host or server generates the key pair, you must provide the public key to the client connecting to it. If the host or server you want to connect to generates the key pair, the server administrator must provide you with the public key. In other words, if you make the connection, you generate the key pair, use the private key, and provide the client with the public key. If you receive the connection, the server administrator generates the key pair, uses the private key, and provides you with the public key.
For more information about SFTP Integration with your Unqork application, search for Secure File Transfer Protocol (SFTP) Integration in our In-Product Help.
Considerations
Currently, SFTP services configured in Services Administration only support specific private key formats.
Supported Formats
PKCS#1 encrypted (`-----BEGIN RSA PRIVATE KEY-----` with `Proc-Type: 4,ENCRYPTED`)
PKCS#1 unencrypted (`-----BEGIN RSA PRIVATE KEY-----`)
OpenSSH encrypted (`-----BEGIN OPENSSH PRIVATE KEY-----`)
OpenSSH unencrypted (`-----BEGIN OPENSSH PRIVATE KEY-----`)
Unsupported Formats
PKCS#8 encrypted (`-----BEGIN ENCRYPTED PRIVATE KEY-----`)
PKCS#8 unencrypted (`-----BEGIN PRIVATE KEY-----`)
Troubleshooting SFTP Authentication Issues
Try these actions to troubleshoot SFTP authentication issues:
Restart your server.
Confirm you are using the correct key. If your error says Public key does not match private key, then one of the keys is incorrect.
Confirm the connection port is correct. SFTP uses port 22 by default.
Confirm the host or server you are connecting to supports the authentication method you are using. The host or server might require a password, public key, or both.
For public key authentication, provide a copy of the public key to the server's administrator. The server administrator must add the public key to the server's trusted list.
If the server administrator created a public key for you, replace your existing key with the provided public key.
If your Unqork Environment can't connect to your desired host or server, you might need to provide Unqork with the approximate times when you tried to connect so Unqork can review access logs.