1

I am still learning about SSH, SFTP and private/public keys. My elementary understanding of keys is that the private key should remain on the machine it was generated on and never be shared.

I have a Lightsail instance that I would like to allow others to access using SFTP. The only way to do this is to download the key pair from the AWS account and use that file in the SFTP application (FileZilla in this case). If I want to provide SFTP access to these users I have to give them the server's private key file.

I'm not sure I understand how this is a secure way of giving SFTP access to the server if the private key is never supposed to leave the server. I can't easily revoke access because I would have to generate a new key pair on a new instance to do that and then share the new private key with all users for which I did not want to revoke access.

Can someone explain to me how this method is secure? Or maybe explain what I'm not understanding about how private/public keys work? Is this the appropriate method to give easily revoked SFTP access? If not, what is the appropriate method?

kmgardner
  • 11
  • 1
  • Possibly a duplicate of https://security.stackexchange.com/questions/221236/why-aws-distributes-private-key-to-address-authentication-problem?rq=1 – Dijkgraaf Aug 03 '21 at 22:43

1 Answers1

2

It's almost certainly not the server's private key, but rather a user private key that AWS is, for some reason, generating for you. In this case, the server already knows the public portion of the key pair you download, but not the private portion, however you need the private key in order to prove ownership of the public key.

The usual approach (as seen on sites like Github) is to allow the user to upload their own public key (either from a key pair generated anew for this purpose, or one they already have around), which the web app then injects into the server's authorized_keys file. This requires some basic SSH skills, of course, but so does using SFTP at all, and it's very unlikely anybody will have access to an sftp client but not to ssh-keygen. I don't know why AWS isn't following this pattern. You're quite right that what they're doing is a violation of the usual expectations around private keys!

You almost certainly don't want to share the same key pair with multiple people, as this means you would all appear as the same user to the server and it would be impossible to revoke access from just one person. You might have AWS create many such key pairs, and distribute one each to multiple parties, but then you as the distributor could have copied each private key, and also you have to transfer the private keys between your machine and the other users' machines.

Instead, if you can, what you should do is use the downloaded key pair to SSH/SFTP into the server, and the replace the authorized_keys file (or at least its contents) with one containing your own public key (and that of whoever else you want to grant access to that machine account). Then you can delete the downloaded key pair (which should be considered compromised, since another party has seen the private key) and go on using your usual key pair for SSH (or a new one, if you generated a new one for this purpose). You can also manually add other public keys (either your own or belonging to others) later, if you want to, and/or remove them.

CBHacking
  • 40,303
  • 3
  • 74
  • 98