SFTP seems to require the public key file - why?

Jakub Jelen jjelen at redhat.com
Tue Sep 29 22:47:35 AEST 2020

On 9/28/20 11:58 AM, Peter Stuge wrote:
> karl.peterson at gmail.com wrote:
>> Why is the client's public key needed to connect to a server?
> It isn't strictly needed if the connection does succeed in some cases..
>> Why doesn't the client present the requested identity first if the
>> public key is not present?
> I guess that this is more by accident than anything else, but I agree
> that it would be desirable to have the client behave the same in both
> cases. It is both an unneccessary information leak and a potential
> usability issue (as in your case).
> For now you can use 'IdentitiesOnly yes' in .ssh/config to tell ssh
> (thus also sftp) to only offer the explicitly configured identities.
>> Additionally, why is the public key portion of the private key file
>> encrypted by the passphrase?
> The public key isn't stored in the private key file, it is
> mathematically derived from the decrypted private key.

This is no longer true with the new OpenSSH key file format. But this
functionality using these public keys is very fresh.

Jakub Jelen
Senior Software Engineer
Crypto Team, Security Engineering
Red Hat, Inc.

More information about the openssh-unix-dev mailing list