EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Integrating certificate into SFTP

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#31381
Posted: 11/09/2014 13:06:45
by wilsontay (Basic support level)
Joined: 08/06/2014
Posts: 11

Hi,

I'm wondering is it ever possible to integrate certificate into SFTP? What I'm trying to achieve is something similar to FTPS where the client will be given a trusted certificate of the server and would get prompted if the server is not legitimate and whatnot.

Also from my understanding it seems that the only way for the client to verify the server that it is indeed who it claims to be is by looking at the host fingerprint (which is prompted during the first time connecting to the server). Is there anything for the server the provide to the client for the client to implicitly trust the server and not get the "first time prompt"?

Thanks
#31382
Posted: 11/09/2014 13:17:10
by Eugene Mayevski (EldoS Corp.)

Quote
wilsontay wrote:
I'm wondering is it ever possible to integrate certificate into SFTP? What I'm trying to achieve is something similar to FTPS where the client will be given a trusted certificate of the server and would get prompted if the server is not legitimate and whatnot.


Are you sure that you need an X.509 certificate and not an SSH key? You can give the client the public key (SSH key, I mean) of the server.

Quote
wilsontay wrote:
Also from my understanding it seems that the only way for the client to verify the server that it is indeed who it claims to be is by looking at the host fingerprint (which is prompted during the first time connecting to the server).


... or comparing the public key binary with the stored key.

There's nothing similar to PKI and CAs in SSH key management.


Sincerely yours
Eugene Mayevski
#31383
Posted: 11/09/2014 19:32:57
by wilsontay (Basic support level)
Joined: 08/06/2014
Posts: 11

How about https://www.eldos.com/security/articles/2852.php?page=all? That article seems to detail how to integrate X.509 certificate into the SFTP server.

However from what I read it seems that the cert in that case is used to verify the client while what I'm looking for is a cert for the client to verify the server's authenticity.
#31385
Posted: 11/10/2014 00:00:25
by Eugene Mayevski (EldoS Corp.)

Certificates there are used to extract keypairs from them. Certificates are not transferred during handshake (unlike TLS).


Sincerely yours
Eugene Mayevski

Reply

Statistics

Topic viewed 445 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!