0 votes
by (120 points)

I purchased the File Transfer Pack to construct an SFTP server using Core. The process was straightforward and user-friendly, earning a thumbs up.
However, managing key generation for over 5000 customers has become overwhelming. I am considering using my SFTP solution as a type of FTPS, as Rebex lacks NuGet packages for creating an FTPS server. Consequently, I am loading a trusted X509 into my app.
Certificate cert = ServerKey.GetCertificate();
Certificate serverCert = new Certificate(cert);
SshPrivateKey sshPrivateKey = new SshPrivateKey(serverCert);
_server.Keys.Add(sshPrivateKey);

Is that okay? Anyway, connecting via WinSCP gives me a problem like "Selected host key algorithm x509v3 etc." does not correspond to any supported algorithm. Is my approach incorrect? Any suggestions would be appreciated. (By the way, I use username/password authentication through the local system.)

Applies to: Rebex SFTP, Rebex FTP/SSL

1 Answer

0 votes
by (147k points)

Unfortunately, WinSCP does not support X.509 certificates in SSH (RFC 6187).

However, the next major release of Rebex File Transfer Pack will add FTPS server support, and a fully supported preview is already available. If you would like to give this a try ahead of the official release, let me know and we'll send you a download link.

by (120 points)
Thank you for the swift answer. I suppose we don’t necessarily need to make use of FTPS. However, I do have some questions on best practices for managing server private keys on the SFTP server. Our situation is as follows:

We would like to expose a SFTP file server to our external customers (about 5000 different clients), and to keep it simple, the clients will be authenticating to the SFTP server using username/password authentication, as this is what the clients are used to today. We might change to an SSH-key authentication in the future, but for now we will make use of username/password.

We still need to have a private key associated with the SFTP server itself such that the clients can establish a SSH connection (as per your documentation, https://www.rebex.net/sftp.net/features/private-keys.aspx).

What are the best practices for managing and rotating the SFTP server private key(s)? And would you suggest using multiple private keys that are rotated? And if so, how do we go about implementing it?
...