User Creation Clarification - Using SSH Keys for Login

Question

We create a user for SFTP Access and set the user to use a password for login. We want to switch this user to use a key instead.

I want to clarify that this is the correct method.

1. Create the user
2. Configure the user for SFTP login and select SSH Key Option.
3. Generate key for the user: ssh-keygen -t ed25519 -C username
4. Attach the .pub file generated to the user profile
5. Send the .pub file to the user for authentication

This is the first time we are dealing with SFTP and keys and want to make sure this is set up correctly.

Answer 1

Hi,

I assume you are using Buru SFTP Server. In that case, the procedure is sound (although I am bit unsure about step 5 as this is generally handled by the SSH/SFTP client which also needs access to the private key - or at least to the operations done using the private key, when the key is stored elsewhere, such as on hardware token, for example).

Please be aware of a bug in Buru SFTP Server introduced recently which sometimes requires the user to specify the password even though public key authentication is set up and 2FA is turned off. This will be fixed in a release this week. There are several workarounds:

• manually set password auth to 'enabled' using burusftp user update <user> --password-auth enabled
• using Web Admin, turn off and on password authentication, then save the "changes".

Comments

One more thing to add: the private + public key pair MUST be generated by the client as they need to ensure the private key's safety (the private key must NEVER be shared). The client provides the server with their public key.

---

I am afraid I am lost.
The client is a service that is connecting to our SFTP server and I created the user and it needs the username, private key as an asc file uploaded, host IP and port.

I am not sure what file to provide it for the private key.

I ran the ssh-keygen command on the SFTP server for the user and used that file, but it fails to authenticate.

---

It appears there may be some confusion between two distinct key pairs involved in SSH/SFTP authentication.

Server Host Keys (SSH Keys section in Web Admin)
The first key pair establishes the server's identity. These are the SSH host keys, which are automatically generated by Buru SFTP Server during installation. In fact, multiple key pairs using different algorithms (such as RSA, ECDSA, and Ed25519) are created to support various client configurations. These private keys must be kept secure and are stored in the server's configuration directory. When a client connects, the server presents its public host key, allowing the client to verify it is communicating with the intended server and not an impostor.

User Authentication Keys
The second key pair establishes the user's identity. These keys should be generated on the client side, not on the server. The user creates a key pair using a tool such as ssh-keygen, PuTTYgen, or a similar utility. The private key remains securely stored on the client machine and should never be shared. The corresponding public key is then uploaded to the server and added to the user's authorized keys configuration (using Web Administration, for example). During authentication, the server challenges the client to prove possession of the private key without ever transmitting it.

TLDR: the server's host keys prove the server is who it claims to be, while the user's authentication keys prove the user is who they claim to be. Both are essential, but they serve fundamentally different purposes and should be managed accordingly.

---

One more TLDR: You can send the client the server (host) PUBLIC key so the client can verify the authenticity of the server. On the other hand, if the client wants to connect to the server using public key authentication, the client must sent you their PUBLIC key so you can assign it to their the Buru SFTP user. You should NEVER send or receive PRIVATE keys.