Why can clients still connect to my sftp server when public key authentication is enabled?

Question

Hello,
i am currently using a tinysftp server to test public/private key authentication.
In the config file i added a directory where the servers public keys are stored with which the clients can authenticate. When server starts it even says that the public keys are loaded.
Problem now is that the clients can even connect without using the corresponding private key. Why is that so and how can i change this? Maybe it's because the server and the client is in the same network. As a SFTP client i am using winscp.

Answer 1

Rebex Tiny SFTP Server supports two kinds of authentication:

• password-based authentication
• key-based authentication

These are only supported as alternatives - a client can present either a valid password or a valid key. Authentication requiring both the password and the key is not supported at the moment.

Based on your description, it looks like clients might be connecting using a password only. If you wish to only allow key-based authentication, set the password to a sufficiently long random value and don't use it with any of your SFTP clients.