Setting Up SFTP Public Key Authentication On The Command Line

SFTP Public Key Authentication enhances security by allowing users to access SFTP services without passwords, favoring automated transfers. The setup process involves creating a .ssh directory, generating a key pair with ssh-keygen, securing permissions, and copying the public key to the server, ensuring a secure connection without the need for passwords

  1. Blog

Overview

SFTP provides an alternative method for ssh client authentication. It's called SFTP public key authentication. This method allows users to login to your SFTP service without using password authentication and is often employed for file transfer automation. In this post, we'll walk you through the process of setting up this kind of authentication on the command line. It's easier to do this on a GUI-based interface but if you prefer to do things on the terminal, this post is for you.

Note: SFTP (through SSH) is usually installed on Linux distros, so we'll be using Linux for both the (SFTP) server and client machines in this tutorial.

1. Create The .ssh Directory

The first thing you'll want to do is create a .ssh directory on your client machine. This directory should be created inside your user account's home directory. Login to your client machine and go to your home directory.

Just enter: cd ~

You should now be inside your home directory.

In the screenshot below, we used ls -a to list all the files and folders in our home directory.

list all files linux

To add the .ssh directory, just enter: mkdir .ssh

So now, when we list all the files in our home directory, we can already see the .ssh directory.

mkdir ssh

You'll want to make sure only the owner of this account can access this directory.

To do that, change the user permissions of the directory by running: chmod 700 .ssh

2. Run ssh-keygen

Next, we must populate our .ssh directory with the public/private key pair we'll use for our sftp key authentication. Run the ssh-keygen command: ssh-keygen

Not familiar with SFTP keys? Click the link to learn more about them.

Immediately after running the ssh-keygen command, you'll be asked to enter a couple of values, including:

  • The file in which to save the private key (normally id_rsa). Just press Enter to accept the default value.
  • The passphrase: This phrase functions just like a password (except that it's supposed to be much longer) and is used to protect your private key file. You'll need it later, so ensure it's a phrase you can easily recall.

Once you've entered the passphrase twice, ssh-keygen will generate your private (id_rsa) and public (id_rsa.pub) key files and place them into your .ssh directory. You'll also be shown the key fingerprint that represents this particular key.

ssh keygen

To verify whether the files were really created successfully and placed in your .ssh directory, go to your .ssh directory and list the files as shown:

04-list-files-in-ssh-directory

Here's a sample of what the contents of an SFTP private key file (id_rsa) look like, viewed using the less command.

05-ssh-id-rsa

And here's what the contents of an SFTP public key file (id_rsa.pub) look like:

ssh id rsa pub

Again, we'd like to make sure only the owner can read, write, and execute these files. So run the chmod command again to assign the appropriate permissions: chmod 700 ./id_rsa.*

Now that we have a .ssh directory in our client machine (populated with the SSH key pair), we must create a corresponding .ssh directory on the server side.

3. Create .ssh Directory On SFTP Server

Login to your SFTP server via SSH. We assume you already have a user account on your SFTP server and the service is already up and running. Don't worry too much if you encounter a notification saying, "The authenticity of the host ... can't be established ... Are you sure you want to continue connecting?" Barring any issues, SSH just informs you that a trust relationship between your server and your SFTP client has not yet been established. Type 'yes,' hit [enter], and enter your password.

Recommended article: Setting Up an SFTP Server

log in ssh

Once you have an SFTP connection, navigate to your user account's home directory (on the server) and (just like in your client machine) create a .ssh directory.

mkdir ssh remote sftp

Assign the required permissions for this directory by running: chmod 700 .ssh

Next, navigate to your newly created .ssh directory and create the file ssh/authorized_keys (called authorized_keys). This file will hold the contents of your ssh public key.

Here, we create this file by using the touch command: touch authorized_keys

09-touch-authorized-keys

Yes, you need to run chmod on this file too: chmod 700 authorized_keys

When you're done, exit your SSH session.

SSH

4. Run ssh-copy-id

Now it's time to copy the contents of your SFTP public key to the authorized_keys file. The easiest way to do this would be to run the ssh-copy-id command. The ssh-copy-id program is usually included when you install ssh. The syntax is:

ssh-copy-id -i id_rsa.pub user@remoteserver

where user is just the username used earlier and remoteserver is just the IP address/hostname of your SFTP/SSH server.

You'll then be asked to enter your account's password. This is the same password you used to log in via SSH earlier.

ssh copy

5. Login SFTP SSH Key-Based Authentication

To verify that everything went well, ssh again to your SFTP server. This time, you'll be asked to enter the passphrase instead of the password.

12-login-ssh

Navigate to your .ssh directory and view the contents of the authorized_keys file. It should contain exactly the same characters in your SFTP public key file.

less authorized keys

Exit your SSH session yet again, and then log back in via SFTP with key authentication.

sftp public key authentication

Note: If you haven't assigned any passphrase when you created your pair of keys using ssh-keygen, you would have been able to log in just like this:

login sftp public key authentication

That's it. Now you can set up SFTP with public key cryptography using the command line.

Did you know there's actually an easier way to do this? The article, 2 Ways to Generate an SFTP Private Key, will show you some GUI-based methods that arrive at the same result.

Get Your Free Trial

Would you like to try this yourself?

Download your free JSCAPE MFT Server Trial now.

JSCAPE MFT Server and MFT SaaS are platform-agnostic and can be installed on Microsoft Windows, Linux, Mac OS X, and Solaris. They can handle any file transfer protocol and multiple protocols from a single server. Additionally, JSCAPE enables you to handle any file type, including batch files and XML.

Related Content

Two Ways To Generate An SFTP Private Key

Three Ways To Generate OpenPGP Keys

What Port Does SFTP Use?

How To Automatically Transfer Files From SFTP To Azure Blob Storage