0

SFTP has an option "-i" to set the private key to use for public key authentication. However, there does not appear to be an option for which matching public key to use. Surely it must need this to tell the server which public key to use for the challenge.

Why is this and how does it work?

aaa90210
  • 351
  • 6
  • 15
  • Public keys are on the remote machine in teh `~/.ssh/authorized_keys` file of the user you are connecting as. – ivanivan Apr 03 '18 at 01:18

2 Answers2

4

First the file for the 'private' key contains all parts of your key. Both the public and private parts. If delete the local copy of your public key you can simply re-create it from the file that contains the private key. You can see everything for a RSA key with openssl rsa -in filename.id_rsa -text. So you never really need to identify the 'public' portion of a keypair when you have the private key. The private key has all the information.

As for the server authenticating the client. The server isn't encrypting something against the public keys. It is happening the other way. The client sends some information with a signature signed by the private key. The server can verify this using the public keys that it knows about.

https://www.rfc-editor.org/rfc/rfc4252

   To perform actual authentication, the client MAY then send a
   signature generated using the private key.  The client MAY send the
   signature directly without first verifying whether the key is
   acceptable.  The signature is sent using the following packet:

      byte      SSH_MSG_USERAUTH_REQUEST
      string    user name
      string    service name
      string    "publickey"
      boolean   TRUE
      string    public key algorithm name
      string    public key to be used for authentication
      string    signature

   The value of 'signature' is a signature by the corresponding private
   key over the following data, in the following order:

      string    session identifier
      byte      SSH_MSG_USERAUTH_REQUEST
      string    user name
      string    service name
      string    "publickey"
      boolean   TRUE
      string    public key algorithm name
      string    public key to be used for authentication
Community
  • 1
Zoredache
  • 128,755
  • 40
  • 271
  • 413
0

The public key to use is set in the authorized_keys file for the user account on the server to which you connect. It is not set in the client.

https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process

is a good read for how this works.

JohnA
  • 556
  • 3
  • 12
  • But I thought the client sends the public key so the server knows which public key to use from authorized_keys? How would it know which one to use otherwise? – aaa90210 Apr 02 '18 at 23:01
  • No. The client uses the private key and negotiates with the server. The server finds a public key with a signature that matches the private key. Essentially, the client encrypts with the private key and the server decrypts with the public key. It's actually much more involved but that is the basis. – JohnA Apr 02 '18 at 23:03
  • In public key authentication, the server encrypts a message with a public key, and the client proves it can decrypt it. Which public key does the server use? It's OK to say "I don't know". – aaa90210 Apr 02 '18 at 23:05
  • heh. your question indicated that you did not know. I was keeping it simple. – JohnA Apr 02 '18 at 23:08
  • So which public key does it use? – aaa90210 Apr 02 '18 at 23:09
  • client sends the id for the keypair. server finds pubkey in authorized_keys that matches the id. Then the server proves it has the pubkey by sending an encrypted message to the client - who decrypts it with the private key. – JohnA Apr 02 '18 at 23:17
  • Keypair? Id? What are you referring to? I am not using a keypair, just setting a private key with -i. – aaa90210 Apr 02 '18 at 23:24
  • You might give this a read: https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process – JohnA Apr 02 '18 at 23:42
  • if you can't answer the question, sound like you need to do some reading. – aaa90210 Apr 04 '18 at 00:08