SFTP Authentication

In order to establish an SFTP connection, the SFTP server and client need to be authenticated. Find detailed information about configuring the SFTP authentication on the server and on the client side below.

SFTP Server Authentication

SFTP servers have a public/private key that is used by the client for authentication. Specifically, a private key is needed on the server (either auto generated by MassTransit or supplied by the administrator). The public key is then either distributed to the client separately, or it is saved to the client’s "known_hosts" configuration table of known public keys the first time a connection is made. This is then used in subsequent connections by the client to authenticate that the server is who it says it is.

This is different than SSL authentication in MassTransit, where the server’s public key is certified through a signed certificate by a known certificate authority. SFTP/SSH relies on the either pre-distribution of server public keys, or the trust that the first connection to a server is "really the true server" to get the public key stored.

If the server’s private/public key changes, then any client that previously connected will error out that the server’s key is invalid. Many SFTP clients (i.e., the Mac OS X client) will fail to connect at this point because it views that it is highly likely having a man-in-the-middle attack. The only way to get the connection to work in this case is to remove the server’s public key from the "known_hosts" file, and reestablish connectivity. On Mac OS X, the known_host file is in the following location and can be edited using a text editor:
    ~/.ssh/known_hosts

The MassTransit Administrator has an interface in the Security tab of the Setup window to specify the server’s public/private key – see the steps below. This can be done by auto-generating the private key, or allowing the user to pick a private key / passphrase which will then be saved in your preferences in the same way as you save SSL private keys. There is also a button that allows you to save the public key to a disk for sending to clients that want to connect.

If the server admin doesn’t send the public key, the client should be able to just retrieve it on the first connection.

  1. Open the Setup window of the MassTransit Administrator by clicking on the Setup button from the Navigation Bar or by selecting the Setup... option from the Window main menu.
  2. Open the Security tab of the Setup window.

  3. In the SFTP/SSH Server Key section, you can choose whether to use an automatically generated by MassTransit private key or a supplied private key. The default option is the MassTransit key.

    1. If you choose to have MassTransit generate the SSH private key, make sure the Automatically generate SFTP/SSH private key radio button is selected and click Cancel in the Setup window. The SFTP authentication configuration of your server is done and you do not need to perform the steps below.
    2. If you want to use a supplied private key, continue with the steps below.
  4. In the SFTP/SSH Private Key section, select the Use Private key radio button. A window should appear where you can browse for the private key of the SFTP server. If not, click on the Choose... button.
  5. In the window, select the private key for the SFTP server and click Open.

  6. In the Password window that appears, enter the password for the private key and click OK in order to load the file in MassTransit.

  7. In the SFTP/SSH Private Key section, enter the private key password in the Enter password for private key field in order to enable MassTransit to use the file without being prompted for a password.
  8. Click OK in the Setup window to save the changes. Otherwise, click Cancel.

Save the public key to a disk space

When you have configured the server key for the SFTP authentication, you can save the server's public key in a file on a location you choose:

  1. Open the Security tab of the Setup window.
  2. In the SFTP/SSH Private Key section, click on the Save private key... button.
  3. In the appeared window, select a location for the public key file and click on the Save button. The public key file should appear in the selected directory.

SFTP Client Authentication

Client authentication with SFTP in MassTransit is available in two ways – username/password and public key authentication.

Username/Password authentication

The first method is username/password authentication. For username / password, the client either specifies the username/password when configuring the connection or is prompted at login. This authenticates against the MassTransit server in the same way as FTP.

Public key authentication

The second method is public key authentication. In public key authentication, the client has a private key that only it knows about. The client pre-distributes its public key to servers that it wants to connect to. The server administrator can load that public key into the contacts information. This is available on a per contact basis. In the SSH/SFTP authentication process, the client passes its public key and also signs it with its private key. The server can then decrypt the signed public key with the public key it received to verify that the client has the real private key. Then the server matches the public key it received against its "known client public key" to determine if the user is valid.

In MassTransit 7, you can now specify the public key for each user that needs public key SFTP authentication. This is done within the contact editing process where the public key can be selected and loaded into the database for an individual contact:

  1. Open the Contacts window of the MassTransit Administrator by clicking on the Contacts button from the Navigation Bar or by selecting the Contacts option from the Window main menu.
  2. Highlight a contact that uses the SFTP connection method to contact the server and click on the Edit... button.
  3. Open the Security tab of the Contact Information window that appears.

  4. In the SFTP/FTP Privileges section, make sure the No SFTP/FTP Access radio button is NOT selected.

  5. Check the Use SFTP Public Key Authentication check box. A window should appear where you can select the client's public key, otherwise, click on the Select Public Key... button.
  6. In the window, locate and select the client's public key file. Then, click Open.
  7. The client's public key should be loaded in MassTransit. Click OK in the Contact Information window to save the changes.

Now, the configured contact should be authenticated automatically on the server without being prompted for login credentials.