Using SSH Client Keys and Host Keys

by | Sep 24, 2018

SSH client and host keys are used when an SFTP client attempts to connect and authenticate with an SFTP server.  Client keys authenticate the user connecting to an SFTP server. Host keys ensure that the SFTP client is connected to the correct SFTP server.   NOTE: Diplomat MFT always acts as the SFTP client.

  • Using SSH Client Keys

When an SFTP server administrator sets up a login account for you, they decide how that account will authenticate when connecting to the server. Authentication can require a username/password pair and/or an SSH client key. If the administrator requires that you authenticate with a key, they will ask you to send them your public key.

To use an SSH Client Key with Diplomat MFT, you must:

  • Create an SSH client key pair by selecting Keys > SSH Client Keys > Create Key Pair from the top menu bar.
  • Export the public key from the newly-created SSH Client key pair into a file by selecting Keys > SSH Client Keys > Export Public Key from the top menu bar.
  • Send the public key file to the SFTP server administrator (e.g., by email).
  • Once the server administrator attaches the public key to the account, you can use the SSH client key to connect to the SFTP server by selecting the correct SSH client key on the SFTP panel in the Source or Destination Partner Profile when setting up the transaction.

Screenshot of SSH Client Key Settings

NOTE:  Using an SSH client key is optional. If the SFTP server administrator does not request an SSH public key, you do not have to use one.

  • Using SSH Host Keys

When you attempt to connect to an SFTP server, you can (optionally) have Diplomat MFT verify the identity of the SFTP server by comparing the fingerprint of the SSH host key supplied by the SFTP server with the key fingerprints in the Diplomat database.

In order to verify an SFTP server’s identity, Diplomat MFT uses the fingerprint of the server’s SSH key —  not the entire key. Key fingerprints are unique and sufficient to authenticate the server.  A fingerprint is generally displayed as a string of hex digits. For example, 4D:DD:BF:DB:8D:CA:9F:6C:14:FB:BB:FA:D4:E0:25:16:76:6B:DD:0A. You will need to obtain the SFTP server’s key fingerprint from the administrator (e.g., via email).

NOTE:  Some SFTP client applications use the SFTP server’s public SSH key for authentication — rather than the fingerprint of the key.  If an SFTP server administrator sends you a public SSH key, do not attempt to import it into Diplomat MFT as Diplomat does not authenticate this way and cannot read the SSH public key.

Using SSH host keys is optional. If you choose to use SSH host keys, you must:

  • Add the host address and fingerprint of the SFTP server to the SSH host key list in Diplomat MFT under Keys > SSH Host Keys from the top menu or when using the Test button in a partner profile.
  • Check ‘Verify SSH host key’ on the SFTP panel in the Source or Destination Partner Profile when setting up transactions.
  • Use the Show SSH Host Keys button on the same panel to verify that the host address and fingerprint are shown in the SSH host key list.
  • Or, the SSH host key can be imported in the Partner Profile panel.  Enter the partner information and verify the connection using the Test button. If the connection is successful, check the ‘Verify SSH Host Key’ checkbox. Connect again using the Test button. A pop-up dialog will display the server’s address and fingerprint. If the fingerprint matches the one received from the SFTP server administrator, click ‘OK’ to import the fingerprint into the Diplomat database.

Screenshot of SSH Host Key Settings