Ask a Question

Are SFTP login parameters encrypted before being sent

0 votes
by (630 points)

For the below API,will the username and password get encrypted with privatekey while being sent from client. The server uses the public key to decrypt the message and retrieves username, password. Is this understanding correct ?

Public Sub Login ( _userName As String, _password As String, _privateKey As SshPrivateKey )

Applies to: Rebex SFTP

1 Answer

0 votes
by (148k points)

No, this is not what this method does. It performs two kinds of authentication for the specified user - password authentication (just like Login(userName, password)) and publickey authentication (just like Login(userName, privateKey)). This is needed for user accounts configured to require the client to perform both of these authentication. This kind of configuration is not very common. Usually, you either need to call Login(userName, password) and Login(userName, privateKey).

Username and password are not encrypted with the private key. However, SFTP runs over SSH, which means they are transmitted over a secure and encrypted SSH channel that has been established during the Connect method. To determine how exactly the SSH session has been secured, see Sftp.Session.Cipher object. For additional information about the kind of security offered by SSH, see 'Introduction' in RFC 4521. Also, don't forget to validate the server's public key fingerprint before authenticating to make sure you are connecting to the desired server. See Server verification for details.

by (630 points)
1) If ssh channel is established only during Connect(), will not the login() method expose the username and password?
2) Will it be ok to encrypt username and password with private key and then invoke Login(userName, password). Can the sftp server handle this case?
by (148k points)
1). No. The Login() method operates over the SSH session established during the Connect() method and it can only be called when the connection has been established and is still active. If it's not, Login() would fail.
2) No, this will not work. Clients have to supply the credentials using one of the existing protocols that SSH servers understand. They can't invent their own protocols (unless you modify a server as well to support your custom authentication protocol).
However, what you would like to do is not possible anyway because asymmetric algorithms don't support this kind of operation. DSA doesn't support encryption/decryption at all, and RSA encryption is performed using a public key (and private key is needed for decryption).
by (630 points)
Thanks a lot for your response. There is a overloaded method Login(username, password, privatekey). Is this method meant for double authentication - 1st authentication with username + password and the 2nd authentication with privatekey + publickey ?
by (58.9k points)
Yes, this is exactly what the method does. Just keep in mind that first the password authentication is performed and only if the server requires the key authentication after it, then the private key authentication is performed. In case the SFTP server lets the user authenticate with password only, then the Login(username, password, privatekey) method also succeeds. So it is more on the server to decide. However, our method is exactly what you need for servers that require the double authentication,
by (630 points)
The privatekey & public key are for one user (or) the same keys can be configured for multiple users?
by (58.9k points)
edited by
First of all, it is the user that generates his private/public key pair. The user then passes the public key to the SFTP server admins (or associates it with his account himself, depending on the server) . So the private key is kept secret by the user and should not be disclosed to any third party (also never disclosed to the server). Sharing the same private key by more users is definitely not recommended!
by (630 points)
Regarding Login(userName, privateKey), please help me know what kind of mechanism the server uses to validate the privateKey against the publicKey that it holds? If PrivateKey can be seen by SFTP server (after decryption) will it not be considered privatekey leak?
by (58.9k points)
No, because the private key stays in the possession of the SFTP client user. How it works in very simplified words: the Rebex.Net.Sftp client method Login(username, privatekey) method takes the private key as the input but it does not send the private key to the server. It just signs the authentication request with the private key and sends the signed request to the SFTP server. The SFTP server is then able to decrypt the request with the public key of the user. If the compuations match, the user is authenticated succesfully.  For more information on private/public key authentication see e.g. https://winscp.net/eng/docs/public_key
by (630 points)
OK. So the private key is used to encrypt the request (with username and / or password) on the already established encrypted secured channel. Thanks for the details.
by (58.9k points)
edited by
No sorry, it does not work like this! Public key authentication is based on asymmetric algorithms such as RSA or DSS and, the private key is not used for encrypting anything. It is used to compute a signature of a specifically constructed message. To validate the signature, a public key is sufficient. The signature serves as a proof of owning the private key. The private key itself is kept secret by the user.
by (148k points)
The exact mechanism used by SSH public key authentication is described by RFC 4252. Please see https://tools.ietf.org/html/rfc4252#section-7 for details.
...