At line 1 changed one line |
The list of paths to trusted SSH key files controls the public / private key authentication that SFTP allows for. This setting does not want you to enter in a 'trusted keys file', or a folder path, but rather the path to the actual key file itself. So '/files/keys/' is not OK, while '/files/keys/ben.pub' would be OK. Separate multiple items with new lines. Most SSH key formats are supported. |
The list of paths to trusted SSH key files controls the public / private key authentication that SFTP allows for. If set, we will assume the user will attempt [SSH public key based authentication|https://www.ssh.com/academy/ssh/public-key-authentication], if no password is supplied at login time. In real-life use case the client end generates the key pair, supplies server side \\ |
the public key that the server admin will apply on their user account. Server side has no knowledge of the matching private key, that would be the end client's own secret.\\ |
At line 3 changed one line |
[attachments|ssh_keys.png] |
[{Image src='ssh_keys1.jpg' width='1920' height='..' align='left' style='..' class='..' }]\\ |
\\ |
!!Allowed values for the input field:\\ |
__.__ a single or multiple file paths pointing to individual public key files, like /c:/sshkeys/test.pub. This option is to be used when setting up individual user accounts with SSH public keys\\ |
\\ |
__.__ a directory path pointing to a directory that contains the user public keys, the key files inside must have their filename stem part matching the user name, we then load these automatically. This option is to be used when assigning the setting by inheritance on the __default__ user, local group template\\ |
accounts or LDAP plugin Role template or any integration plugin's global template. For example, a domain user named __johndoe@intranet.local__ will associate with a key file named __johndoe.pub__ (part of user name and key file name stem matches from left to right starting with the \\ |
leftmost character)\\ |
\\ |
__.__ the content of the public key file itself\\ |
\\ |
__.__ multiple public keys pasted in, one on each new line terminated with __;;;__ like\\ |
{{{ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbYYodleVXqAIWLQpw1S4cPKxyiuNtmCJkyJBEAd0K+nRy/FOIVosCJTamoq9wy6T1zZ8/tgDLjTSdOr8d4+CwdDYXviT6oN6cxqJmti3bZBzWfFXm6H3jJlY4TVr+BgIKf8els1pSvvqs77CgT2LOp894IFqctQ5Knz0PLBqCIOIUbeZYrvEtWsXI5af+8rrwquQ1HE7dB2DgLEvRL2B9rKkEaO9zQtN/Uj8LObXbIHjHN13qpThi676ZmleE2UHNGrkkmM7eHxolDKMaBWOza+6NsiqdB6WrA66p1XDDjDRVgKxC/lkuGdWmTSUkMmmQFW2mPIIsBXXHW/miKbN7;;; |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCnVK37Nrzpo6zzjrwb++yTAQaRtFVEsmF8O+5ePXX+YeWzkVJrzPGitjm7U8KJL1SibqJPJy3VhuwR1sTWotKdwvIY14lyQF+2qNeYb0NwsH4vD0p7JGC/OlLydG0/uRYYWmJQpqoNAzT3Cvbd3xvMzJyBCSAg8iHXniV/f3otDiJFvnQ5XVt6hk9txMbuZrPt84Kp1Dp8lUSTlUF5EYmDhBqww6vBRxH+1EROFfulLYv976Pn39db0+UfaxNJ6v1S6M/OzWzHNf+G+luGdEJrEGsHZK8XCVF8xEYjG2apn07hf3gsc3vcrV/SeoG4jlR6SyVUsXeZSmRgYgtdVnV;;; |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAX/UkAkGxzxGX/ljI+Iwv9P3saLr6kIp0MWqHUIFYfYtA31pPGn9uBTE39cTZq9XJh4wCmpzlLjG5so6pmYlgchhLwHltCrmpgeTc8gg3ABFd9hp6t4nQTkug99plL+gLXqNOX3puojd/EfWDlOZTzX2ytqhTG3+e4vBA1qsLs6IJt3u2hzSbhKJjBuBnioh/QVW+etE2gEMDpLobFgWHdrIJy1scSG/HU+SvmheiOfeQNPkBGOeZREWXv3xRbPzQaduZwmfZTdNKU2rWz2r5dgl20olqOTvJQSHBAKyOZaB5hRnlbjRY4K+g/qWDC230NAUtTGyr6pQZgP/2SlsD;;;}}} |
\\ |
!!Supported key file type and format:\\ |
__The key file container__ must be plain text with __PEM__ encoded SSH public key in __SSHv2__, __openssh.com__ or __putty__ format. The older SSHv1 format is not supported.\\ |
\\ |
__Supported SSH key algorithms__ in CrushFTP v10 are __SSH2-RSA__, __DSA__ (obsolete), __ECDSA__ and __ED25519__. The older SSH1 RSA algorithm is not supported.\\ |
\\ |
__Key size:__ For RSA keys, the minimum size is 1024 bits and the default is 2048 bits . Generally, 2048 bits is considered sufficient, though these can be as large as 8192 bits (slow). DSA keys must be exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys either 256, 384 or 521 bits. Ed25519 keys have a fixed length. |
\\ |
---- |
!Require public key and password for authentication: |
This option will enforce two factor private key + password authentication for SFTP. |
\\ |
---- |
!!Generating the key pair: |
__OS X or Linux__\\ |
\\ |
Generate a key pair by issuing this command in a Terminal window: |
At line 5 changed one line |
There is also a more generic way to use this field. If the key file has the exact name of the user logging in, you can instead reference the directory '/files/keys/'. In this case there would need to be a file named 'ben' in that directory. |
{{{ssh-keygen -b 2048 -t rsa -N "" -f /somefolderpath/johndoe.key |
}}} |
|
Take the resulting public key and point CrushFTP to it as described above. |
|
__Windows__ |
|
Windows PowerShell now includes an [openSSH stack|https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse], can use the same __ssh-keygen__ tool as above.\\ |
\\ |
If you are unsure of how to generate a public / private key pair for your SFTP client, you may want to take a look at [puttygen|https://the.earth.li/~sgtatham/putty/0.77/w64/puttygen.exe] for Windows to generate the keys.\\ |
\\ |
[{Image src='ssh_keys2.jpg' width='80%' height='..' align='left' style='..' class='..' }]\\ |
\\ |
CrushFTP can use the public key file you generate.\\ |
|