SFTP - x509 certificate authentication

0 votes
asked Jan 4 by Hysteria86 (140 points)


I'm currently trialling the SFTP library and am looking for some assistance in setting up x509 certificate authentication (as detailed here: http://www.rebex.net/sftp.net/features/authentication.aspx),

Is it possible to load the certificate on the server that the connection request is being made against? I can easily load a certificate on the local machine (the source), but am struggling to do so on the SFTP server itself (the destination).

If this is possible could you give me an example of the path I would need to specify in the LoadPfx method?

I'm currently interested in purchasing the product if this functionality is possible.


Applies to: Rebex SFTP

2 Answers

0 votes
answered Jan 4 by Lukas Matyska (35,000 points)

If you are using Rebex Tiny SFTP server, just simply store the certificates (public part = .cer or .der files) in a directory specified by userPublicKeyDir config key.

If you are using Rebex File Server component, load the certificate like this:

var certificate = Certificate.LoadDer(file);
key = new SshPublicKey(certificate);

Then associate it with a user as described at Advanced authentication provider article.

If you are using a third party SFTP server, you have to read the documentation to find out how to set up certificate authentication.

commented Jan 4 by Hysteria86 (140 points)
Thanks. I'm using a third party SFTP server which already has the certificate etc installed.

Which documentation are you referring to?
commented Jan 5 by Lukas Matyska (35,000 points)
I am referring to documentation of your SFTP server, there should be described how to setup x509 certificate authentication.

However, are you sure that you are using SFTP server? It is common mistake to mix up
SFTP for FTP/SSL, which are two completely unrelated protocols. Please see http://www.rebex.net/kb/secure-ftp/default.aspx for details.

I thought that you are trying to authenticate to an SFTP server using client x509 certificate. If you are trying to achieve something else, please let me know.
commented Jan 6 by Hysteria86 (140 points)

You're correct I am attempting to authenticate an SFTP server using an x509 certificate.

The SFTP environment is set up and I am looking to implement the x509 authentication mentioned in this part of the library: http://www.rebex.net/sftp.net/features/authentication.aspx

What I'm struggling with is what type of value I should be entering for the certPath in this example?
commented Jan 6 by Lukas Matyska (35,000 points)
For `certPath ` you have to specify path of the certificate (.pfx path) with which the SFTP user is associated. Please, see my second answer.

Please note, that you need to have certificate with associated private key (.pfx file) at the client side. And certificate without private key (.der or .cer file) at the server side.

For example:
You have 'user1' defined at the SFTP server.
You have associated 'C:\Data\user1.der' certificate for the 'user1' at your SFTP server.
You have 'C:\Users\tester\Documents\Certificates\user1.pfx' certificate at the client - use this path for `certPath` when using Rebex `Sftp` object.
0 votes
answered Jan 6 by Lukas Matyska (35,000 points)

To authenticate to an SFTP server using client x509 certificate you have to:

  1. Generate a certificate for the specified SFTP user.
  2. Store the certificate with associated private key (.pfx file) at the client side.
  3. Store the certificate (.cer or .der file) at the server side and associate it with the specified SFTP user in your SFTP server.

Then authenticate to your SFTP server using Rebex Sftp object like this:

// connect to a server
var sftp = new Rebex.Net.Sftp();
sftp.Connect(hostname, port);

// verify server's fingerprint
// ...

// load X509 certificate
Certificate x509 = Rebex.Security.Certificates.Certificate.LoadPfx(certPath, certPassword);

// wrap X509 certificate to SshPrivateKey
SshPrivateKey privateKey = new SshPrivateKey(x509);

// log in
sftp.Login(username, privateKey);
commented Jan 12 by Hysteria86 (140 points)
Thank you. I've now been able to get this working following your example.

I have a question though (please forgive me if this is a protocol standard as I am fairly new to working with SFTP having only worked with FTPS previously).

Why is it required to store the certificate on both the client and server side? I've previously worked with FTPS where it is possible to load the certificate on the server without having to store anything locally/on the client.
commented Jan 12 by Lukas Matyska (35,000 points)
If you are authenticating using client x509 certificate against your FTPS server, then you have to store the certificate locally/on client for sure. Without a certificate on client it is not possible to use certificate authentication. Maybe, you didn't store it on disk, but installed in Certificate Storage?

If you are not using client x509 certificate authentication, but only username/password authentication, then there is no need to have any certificate on client. The certificate is needed on FTPS server only (to prove server's identity).

On the other hand, SFTP doesn't need any server certificate. Its identity is verified by the client, typically by checking fingerprint of the server's public key (`Sftp.ServerKey.Fingerprint`).