SSH SFTP Public Key Authentication in Cerberus FTP Server

Cerberus FTP Server Professional edition allows administrators to configure SSH public key authentication for user accounts establishing SFTP connections. Administrators can combine public key authentication with password authentication to provide stronger authentication options for clients.  You can also combine any combination of password and/or public key authentication methods for individual users.

Check out our video tutorial on this subject

Watch our video on SSH2 public key authentication, or continue below for step-by-step instructions on how to configure Cerberus FTP Server to use SSH public key authentication.

How Public Key Authentication Works

When using public key authentication, Cerberus will verify that the signature presented by an SFTP client matches the public key associated with that user.

The Cerberus FTP Server User Manager allows each user to be configured with a required SSH authentication method. The authentication method can be set to require either a password only (the default), a public key only, both a password and a public key, or a password or a public key.

There is also an option for selecting a public key file when the authentication method for a user is set to public key or password and public key authentication. The public key file can be in SSH format (as defined in RFC 4716), OpenSSH v2 format, or from a PEM or DER encoded certificate.

Multiple SSH Keys per Authenticated User

A single user can authenticate with more than one different SSH client key. This allows interactive or automated processes
that share a common username and sign-on from several different machines to enjoy the benefits of multi-factor authentication
without the hassle of key replication and coordination. You can assign multiple SSH public keys to a user account by putting each key in the same file. Each public key must be on a new line.

Configuring a user for SSH Public Key Authentication

Configuring an SSH user for public key authentication requires both a public SSH key and a private SSH key (also known as an SSH key pair). We recommend the client create their own SSH2 key pair and then send the public key to the server administrator. The key strength should be at least 2048 bits for RSA or DSA keys. The next few sections describe two approaches to SSH key creation, and how to assign the created public key to an account in Cerberus FTP Server.

Method 1: Client creates the SSH public and private key

The recommended method of key creation and distribution is for the client to create the SSH key pair. The client will give the SSH public key to the Cerberus FTP Server administrator, while keeping the secret private key for their SFTP client. The server administrator can then assign the public key to the user’s account. This approach ensures that the client is the only entity to ever possess the private key, and removes the need to securely deliver the private key to the client.

The public key is the only file the Cerberus administrator needs, and the public key file’s contents do not need to be kept secret.
The file can be sent unencrypted from the client to the administrator.

Many SFTP clients already have utilities build in to create an SSH2 key pair but if you client does not have one they can download a free utility like PuttyGen to create one on their machine.

Method 2: Server Administrator creates the SSH public and private key

You can also have the server administrator create and deliver the key pair for the client. However, with this approach the administrator now has the task of securely sending the private key to the client.

The private key must be kept secret, and only the client should ever have access to the private key file.

Adding the SSH public key to the user’s account in Cerberus FTP Server

The final step in configuring a user for public key authentication is assigning the client’s public key to the user account in Cerberus FTP Server.

SSH Authentication Dialog

The SSH Authentication Method dialog in the User Manager

The procedure for configuring a user for SSH Public Key Authentication in Cerberus FTP Server is:

  1. Open the Cerberus FTP Server User Manager. The default page is the
    Users tab.
  2. Select the user account that you wish to configure from the Cerberus Users account list.
  3. You will see three tabs to the right of the selected user account. Select the Profile tab.
  4. Double-click on the Authentication property for the selected user. The
    Change Authentication Requirements dialog will appear.
  5. Select the Public Key Only or
    Public Key and Password
    radio option. The Key Path edit box and file selection button will become visible/enabled.
  6. Select the folder button next the Key Path edit box. A file selection dialog box will appear.
  7. Select the public key file you wish to use for the selected user. Press
    Open button to select the file.
  8. Press OK button on the Change Authentication Requirements dialog to close and save the new SSH authentication settings.
  9. Press the Close button on the User Manager to save the changes to the selected user.

The client should now be able to connect to Cerberus FTP Server and perform public key authentication. The client will have to assign and use the SSH private key in their SFTP application.