SFTP seems to require the public key file - why?

Jakub Jelen jjelen at redhat.com
Tue Sep 29 22:47:35 AEST 2020


On 9/28/20 11:58 AM, Peter Stuge wrote:
> karl.peterson at gmail.com wrote:
>> Why is the client's public key needed to connect to a server?
> 
> It isn't strictly needed if the connection does succeed in some cases..
> 
> 
>> Why doesn't the client present the requested identity first if the
>> public key is not present?
> 
> I guess that this is more by accident than anything else, but I agree
> that it would be desirable to have the client behave the same in both
> cases. It is both an unneccessary information leak and a potential
> usability issue (as in your case).
> 
> For now you can use 'IdentitiesOnly yes' in .ssh/config to tell ssh
> (thus also sftp) to only offer the explicitly configured identities.
> 
> 
>> Additionally, why is the public key portion of the private key file
>> encrypted by the passphrase?
> 
> The public key isn't stored in the private key file, it is
> mathematically derived from the decrypted private key.

This is no longer true with the new OpenSSH key file format. But this
functionality using these public keys is very fresh.

Regards,
-- 
Jakub Jelen
Senior Software Engineer
Crypto Team, Security Engineering
Red Hat, Inc.



More information about the openssh-unix-dev mailing list