All geek questions in one place

Why does the SFTP client need to know only the secret key, does not require a public key?

When I connect the SFTP server to the client, I only need to provide the client software with the private key, not the public key. I do not know how this works, because from [1] and [2] both require that the client software also know the public key.

My understanding of how SFTP works

Customization

  • client: generate private / public key pairs.

  • client: send the public key to the server

  • server: add this public key to the list of authorized keys

during connection

  • client: tell the server the public key

  • server: check if the public key is allowed, and if not, refuse, otherwise send a random session identifier to the client

  • client: the client uses the private key to encode the random session identifier and send it to the server

  • server: decode it with the public key and confirm the identifier.

In this case, the client requires a public key. However, I did not provide this, but the SFTP client could still connect the server. So how does this SFTP protocol really work?

[1] http://www.openssh.org/txt/rfc4252.txt

[2] https://www.eldos.com/security/articles/1962.php

+6
source share
1 answer

Although the @Pascal Cuoq comment is the correct answer, this is only half the answer, since the client actually needs the public key, but only the server’s public key, and you already have this in your known_hosts file.

If you do not, you will be asked to trust the one that the server represents when you first connect to the server. This is something that most people completely ignore. If at the first connection you are poisoned by DNS (or there is some other form of the Man in the Center attack) or you do not pay attention to Server identity has changed notifications, you are vulnerable to MitM attacks.

+3
source

Source: https://habr.com/ru/post/953362/

More articles:


All Articles