OK; that clarifies things a bit - thanks!
- CaBabaSiMitralier
Post a reply
Before posting, please read how to report bug or request support effectively.
Bug reports without an attached log file are usually useless.
Topic review
- martin
Re: What exactly does the private key do?
If so, how does the server get the public key?
See https://winscp.net/eng/docs/guide_public_key
If the goal is to prove the identity of the client, is this basically the inverse of using a host key fingerprint (rather than the server proving its identity to the client, the client is proving its identity to the server).
Yes. See https://winscp.net/eng/docs/ssh_keys
What is the implication if the client does not use a private key and just relies on a password? Is this simply that you are then relying on a single factor rather than two factors?
Usually you use either a password or a public key authentication. Not both. So it's usually the single-factor authentication in both cases. The public key authentication has the advantage of the key being much stronger than a password. It's also "easier" to have unique key for each account, as opposite to having to memorize unique password for each account.
See also https://security.stackexchange.com/q/3887/43677
The scenario I have in mind is:
1) The client requests access to the server from an admin (does the client supply a public key here?)
Yes.
- CaBabaSiMitralier
What exactly does the private key do?
I realize this is a very newb question, but I can't seem to find a simple explanation:
What function does the -privatekey flag (or SessionOptions.SshPrivateKeyPath property) serve, in the SFTP case? I know what a private key is, but I am not clear on how it is used in this case. The client has the private key, so does this assume the server has a matching public key? If so, how does the server get the public key?
If the goal is to prove the identity of the client, is this basically the inverse of using a host key fingerprint (rather than the server proving its identity to the client, the client is proving its identity to the server).
What is the implication if the client does not use a private key and just relies on a password? Is this simply that you are then relying on a single factor rather than two factors?
The scenario I have in mind is:
1) The client requests access to the server from an admin (does the client supply a public key here?)
2) The admin provides a username and password (while registering the public key with the server?)
3) The client accesses the server by providing the username and password.
4) The server returns the public key and the client checks this against the private key(?).
My confusion arises because I am struggling to picture how the key exchange happens in the real world. I don't recall ever using a private key when accessing an SFTP server, but maybe the servers I have been accessing have just not used that level of security.
What function does the -privatekey flag (or SessionOptions.SshPrivateKeyPath property) serve, in the SFTP case? I know what a private key is, but I am not clear on how it is used in this case. The client has the private key, so does this assume the server has a matching public key? If so, how does the server get the public key?
If the goal is to prove the identity of the client, is this basically the inverse of using a host key fingerprint (rather than the server proving its identity to the client, the client is proving its identity to the server).
What is the implication if the client does not use a private key and just relies on a password? Is this simply that you are then relying on a single factor rather than two factors?
The scenario I have in mind is:
1) The client requests access to the server from an admin (does the client supply a public key here?)
2) The admin provides a username and password (while registering the public key with the server?)
3) The client accesses the server by providing the username and password.
4) The server returns the public key and the client checks this against the private key(?).
My confusion arises because I am struggling to picture how the key exchange happens in the real world. I don't recall ever using a private key when accessing an SFTP server, but maybe the servers I have been accessing have just not used that level of security.