New SFTP plugin available now

[Boofo]

2MarkFilipak,

Like I said, I'm new at this ssh key stuff. I ran this on the server:

Code: Select all

ssh-****** -t dsa

*****=key+gen

and got what I needed from that. Let me ask this... does my private key match up to my public key? Is that how it knows it is me? These 2 files (authorized_keys & public_key.pub) have the same key code in them. Do I need them both on the server or just the authorized_keys file with my public key in it?

I apologize for my ignorance on this matter.

[MarkFilipak]

Glad those MAN pages helped.

... does my private key match up to my public key?

Yes... and no. Yes, they are a pair. No, the private key is different (But you undoubtedly already know that, so I'm probably misunderstanding your question).

Is that how it knows it is me? These 2 files (authorized_keys & public_key.pub) have the same key code in them.

Yes. The public key is for you to distribute. When you log in, a session key is computed using your private key. The session key is what is passed to the server. The server then uses your public key (from authorized_keys) to compute its response. Your client then checks the response, computing with your private key. Thus, both ends become satisfied that 1, the server has your public key, and 2, that you have your private key. Anything computed with your private key can be recovered with your public key, and anything computed with your public key can be recovered with your private key. Interestingly, anything computed with a private key cannot be recovered with the same private key, and anything computed with a public key cannot be recovered with the same public key. There is essentially no difference between the private key and the public key except who holds which one and how they are used. The private key should be guarded.

Do I need them both on the server or just the authorized_keys file with my public key in it?

Just the authorized_keys file.

[Boofo]

Yes... and no. Yes, they are a pair. No, the private key is different (But you undoubtedly already know that, so I'm probably misunderstanding your question).

Sorry for the confusion. I meant they are paired up, not the same keys.

Yes. The public key is for you to distribute. When you log in, a session key is computed using your private key. The session key is what is passed to the server. The server then uses your public key (from authorized_keys) to compute its response. Your client then checks the response, computing with your private key. Thus, both ends become satisfied that 1, the server has your public key, and 2, that you have your private key. Anything computed with your private key can be recovered with your public key, and anything computed with your public key can be recovered with your private key. Interestingly, anything computed with a private key cannot be recovered with the same private key, and anything computed with a public key cannot be recovered with the same public key. There is essentially no difference between the private key and the public key except who holds which one and how they are used. The private key should be guarded.

Thanks for explaining this in a little more detail. It is all starting to make a little more sense now. I have both the private key and the public key entered into this plugin's settings. So that part is working like it should.

Just the authorized_keys file.

Ah, OK. Now I get it. I was wondering why I would need the .pub key on the server when I had the public key code entered into the authorized_keys file. So I would just add a person's public key to the file like I did mine if I wanted to allow someone else access (which I won't do right now).

One last question... do you HAVE to have a private key to go with the public key or could you just go with a public key for a user?

[MarkFilipak]

One last question... do you HAVE to have a private key to go with the public key or could you just go with a public key for a user?

The short answer is, you need both a private key and a public key.

You know, I'd read so much confusing information on public key encryption that when I finally understood it, I was amazed how simple it really is. A question related to your question that I often see is this: If I accept a public key from a web site, how do I know it's really from that web site? To address your question about whether a private key is really needed, and to address the question I pose, I'm going to give you a blow by blow example that I hope will nail it.

You (TheClient) remotely log into a server (TheServer) that you know should be holding your public key. You create a secret message, use your private key to encrypt it, and send it to the server that purports to be TheServer.

The server gets the message purported to be from TheClient, decrypts it with TheClient's public key (which it has), uses its own private key to encrypt it again, and sends it back to you.

You get the message purported to be from TheServer, decrypt it with TheServer's public key (which you have), and see that the message matches the original secret message. At that point, you know that the server you are logging into must have TheServer's private key (and therefore you assume that the server is TheServer).

The process is repeated in the opposite direction (server to client back to server). At that point, the server knows that the client that is logging in must have TheClient's private key (and therefore the server assumes that the client is TheClient).

So, what is the secret message? It's a random number. What is the chance that a bogus server that purports to be TheServer can produce the correct encryption without having TheServer's real private key? That depends upon the length of the key.

I hope you now see 1, why both partners need both a public key (to exchange) and a private key (to perform checks), and 2, why it is important to safeguard your private key.

Okay, now to the question of trusting that a public key that you get from TheServer is really from the server you think it is.

The first scenario is: Your friend personally gives you a print out of his/her public key. You take it and transcribe it into your key ring. You can have absolute trust in it because 1, you got it directly from your friend, and 2, you know that your friend safeguards his/her private key.

The second scenario is: You are emailed a public key by a company you do business with. When you put the key into your key ring, you get an MD5 hash of the key. You call a phone number that you know belongs to the company and read the MD5 to them. They confirm that the MD5 is correct.

Edit (Sep 27, 2009): The next paragraph is wrong. It is based on SSL/TLS (which I studied long ago), not SSH (which is new to me). It dangerously misleads the reader regarding 1, connecting to a particular SSH server for the first time, and 2, the identity of the entity that approves the server's credentials when making said connection (specifically, there is no CA in SSH). I apologize to anyone mislead by my error and will post a correction in the near future together with links to more verbose presentations.
The third scenario is: You receive a public key from a company's web site. The key has been signed by a certifying authority (CA) that you trust. You check with that authority over the net and receive confirmation that the key is genuine.

That's it! Ciao -- Mark

[MarkFilipak]

Boofo,

Knowing that I'm writing a help file for sftpplug, what do you think should be in it?

[Boofo]

2MarkFilipak,

Just so I fully understand everything now... the public key is the same thing for everyone, right? And their individual private keys are what they need to hook up to the public key? Or am I still missing something? The reason I ask is because you said the public key was for me to distribute and I thought I was supposed to enter everyone's public key into the authorized_keys file.

Knowing that I'm writing a help file for sftpplug, what do you think should be in it?

Basically the settings, what they mean and how to set them, for the most part. What you have so far in the list looks good. Not everyone is a SFTP guru (as you are finding out with me) and you have helped me understand things a little better. Just do the help file in that manner and I'm sure it will be great!

[MarkFilipak]

You can create as many private-public key pairs as you like (though why you would want to do that is unknown, but I've seen people with 3 or 4). Each private key must have an associated public key and they are used as a pair. So when you write

the public key is the same thing for everyone, right?

I'm not sure what you mean. Further, when you write

individual private keys

I get the feeling you think that for every instance of your public key that you give out, you must have a private key. That's not true - excuse me please if I misunderstand. You distribute copies of your public key far and wide but it is really only one public key and you have only one, matching private key. A key is not a file. A key is the content of the file.

Edit: Elaboration: Suppose you wanted to have two logons for your server - ummm.... one with root priv. and the other as an ordinary user. You would have two usernames, but the contents of authorized_keys for each user would be the same (i.e., the same key).

[Mikefield]

2MOD's Could anyone cut this private discussion in a seperate thread please? TIA

mf

[ghisler(Author)]

I have written a much needed help file for the libcurl-based, SFTP plugin. Who can I send that to?

Why not put it in the Wiki? This would be a perfect location, because other forum users can add their information too! You can login with your forum user name and password:
http://www.ghisler.ch/wiki/index.php/Main_Page

[MarkFilipak]

Why not put it in the Wiki?

A TC Wiki that has been around since 4 May 2005? Certainly a well kept secret.

1 - There doesn't seem to be a link to the Wiki anywhere.
2 - If I put the documentation in the Wiki, who'd see it?
3 - There doesn't seem to be any place for documentation projects or for plugins.
4 - The link to the libcurl-based sftpplugin seems to have been removed from the plugins page.
5 - Looks like I've been wasting my time.
Ciao -- Mark.

[Horst.Epp]

Why not put it in the Wiki?

A TC Wiki that has been around since 4 May 2005? Certainly a well kept secret.

1 - There doesn't seem to be a link to the Wiki anywhere.
2 - If I put the documentation in the Wiki, who'd see it?
3 - There doesn't seem to be any place for documentation projects or for plugins.
4 - The link to the libcurl-based sftpplugin seems to have been removed from the plugins page.
5 - Looks like I've been wasting my time.
Ciao -- Mark.

There is a link as Sticky Article in every forum, even in this one (on top)

[Hacker]

Mikefield,

2MOD's Could anyone cut this private discussion in a seperate thread please? TIA

One page out of twenty-nine is ok in my book in this case, also since not totally off-topic.

Roman

[white]

SFTP Plugin Installation and Usage Guide for Microsoft Windows
[...]

2MarkFilipak: Please carefully read what Mikefield said:

Till point 5 in your post above it is OK, but from point 6 and following are some different.
If you press F7 in the Secure FTP folder, it ask you for a new directory, but this is the name for the new connection!!!

2MarkFilipak: You are using the wrong way to create connections. The correct way would be to create one or more connection using the F7 key, or F7 NewFolder button and then to open one of these connections. Or to open the _Quick Connection entry in order to quickly connect to a server without creating a connection first.

The method you are using is probably only possible because of a bug. It didn't work this way before. If you try beta 0.92 you will see it works differently.

2Christian Did you changed the handling of the _F7=neue Verbindung.txt?
In older versions it opens the Plugin help when execute. The new version up
to 094? opens the Quick connection. Also view with F3 is not possible anymore.
This instigates a lot of confusions for new users as you can see here. Please
set it back as before.

Agreed.

[Blizz]

Ever since I installed this on windows 7, TC hangs completely when attempting to upload to my server.

I've been using this plugin for ages on Vista/XP without problems... Connection, directory listing, downloading all works flawlessly, but as soon as I start an upload TC completely hangs and I have to terminate it eventually.

Any ideas? I really depend on this plugin and would hate having to fall back on other software.

TC 7.50, SFTP 0.94 on Windows 7 Pro N EN

[ghisler(Author)]

Maybe aproblem with the Windows firewall?