Sftp query (229 Views)
Posts: 27
Registered: ‎03-04-1998
Message 1 of 6 (229 Views)

Sftp query

Have just installed Secure shell A.03.71 on my a HP-UX 11.11i system to enable me to use make use of sftp so that I can set up a 'SSL compatible ftp client' to access a ftp server that only allows secure connections i.e. both client and server will exchange certificates.

My question is how do I generate a certificate in the first instance to send to the folk who own the ftp server who will in turn send me back a newly generated certificate. Second question is what do I then do with this certificate.

As you've gathered I'm slightly confused with the steps in configuring sftp.
Exalted Contributor
Posts: 33,806
Registered: ‎08-15-2002
Message 2 of 6 (229 Views)

Re: Sftp query

Docs on ssl




sftp doesn't really use these certificates but I suppose you could force it.

Steven E Protter
Owner of ISN Corporation
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Trusted Contributor
Posts: 139
Registered: ‎04-09-2003
Message 3 of 6 (229 Views)

Re: Sftp query


You don't need to exchange certificates, that is mostly used when signing email.

Your ssh server (sshd) has generated it's own certificate, the first time someone connects to it he/she has to manually accept it.

So, when you connect to the remote sftp server, you might need to accept a certificate once, but that's probably not even required. The traffic would be encrypted from the start and you should be able to log in and transfer files.


linux: the choice of a GNU generation
Honored Contributor
Posts: 710
Registered: ‎02-27-2001
Message 4 of 6 (229 Views)

Re: Sftp query

I think that you're a getting a bit mixed-up here.

PKI certificates can be used in a number of ways. SSH uses a public/private key pair simply to ensure that converstations can be encrypted, and to ensure that parties are who they claim to be. However, the major problem is that the first time you connect to a host you are given the option of accepting their key, and thus taking it as being the way of checking their identity. If you were to accept this key from a trojaned host, then you would forever accept them as the real host.

PKI when used in email uses a construction known as an X.509 format certificate. This certificate has been constructed in such a way that it is bound to the rightful owner, and cannot be changed, or used by an imposter, without you being able to detect it. For an in-depth explanation of this process see www.verisign.com.

SSL (Secure Sockets Layer) is a component of many "secure" network services, though it is also completely invisible to the end-user, therefore I wouldn't really worry about it.

To generate a public/private key pair for use with ssh/scp, or sftp, use:

ssh-keygen -t rsa

and then send the remote user the ~/.ssh/id_rsa.pub file. They can then set up their system so that you can access it (as this user) without a password.
If you want them to access your system (for a particular user) get them to send you their id_rsa.pub file and append it to your ~/.ssh/authorized_keys file.
Valued Contributor
Posts: 37
Registered: ‎03-10-1998
Message 5 of 6 (229 Views)

Re: Sftp query

In case the above hasn't made clear, there are two different protocols that go under the name of "secure ftp" or "sftp". Some people mean "ftp over ssh", but most "secure ftp" off-the-shelf products and Windows users mean "ftp over ssl". It's kind of like the difference between PGP and SMIME for "secure email". If you hear the word "certificate," you're talking about "ftp over ssl" (or SMIME), and not "ftp over ssh" (or PGP).

By installing OpenSSH, you get "ftp over ssh". If you want a server that supports "ftp over ssl" then -- AFAIK -- you'll need to buy one. Anyone know of an opensource FTP+SSL server?
Honored Contributor
Posts: 2,376
Registered: ‎09-04-1997
Message 6 of 6 (229 Views)

Re: Sftp query


If you are into FTP over SSL, give stunnel a try.


However, considering the limitations tunneling FTP over SSL, i.e. you need to cater for both FTP CONTROl and FTP DATA traffic, you are much better off using SFTP (FTP over SSH).

There is no need for certificates. Trust relationship using public/private key pairs should suffice such that secure FTP can be performed via automated scripts or cron jobs without passwords being entered.

Hope this helps. Regards.

Steven Sim Kok Leong
Email: steven@beepz.com. Homepage: https://www.beepz.com
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.