SFTP seems to require the public key file - why?

karl.peterson at gmail.com karl.peterson at gmail.com
Fri Sep 25 06:31:37 AEST 2020

We migrated a server a few days ago, and the private keys we use to connect
to customers got moved as well. However, some of our automated sftp batches
were failing with authentication errors. Looking into the verbose output, I
noticed that even though ~/.ssh/config is explicitly configured to use a
specific identity file, sftp was presenting every key known to the
ssh-agent, in order. This particular customer had their daemon configured to
only allow 3 attempts. When we connected from the old server, sftp presents
the configured identity file first. I also noticed that at the beginning of
the output, it complained about not being able to find the public key file.
We extracted the public key from the private key file (giving ssh-keygen the
passphrase), and the issue resolved. To wit, sftp presented the correct
identity to the server first.


My question is, why does this happen? Why is the client's public key needed
to connect to a server? Why doesn't the client present the requested
identity first if the public key is not present? For other servers that we
connect to, there is no configured maximum login attempts; verbose output
shows sftp present each identity until it finds the correct one, which is
accepted and authentication is successful. Obviously, the public key isn't
cryptographically NECESSARY to authenticate.


Additionally, why is the public key portion of the private key file
encrypted by the passphrase? Shouldn't it be in plaintext so it's easy to




Karl Peterson

More information about the openssh-unix-dev mailing list