When users attempt to connect to your Secure File Transfer Protocol (SFTP) server for the first time, they’ll see an alert indicating that their client doesn’t recognize the host it’s connecting to. The warning usually includes a line that shows a key fingerprint and a prompt that asks the user whether to proceed with the connection attempt or not. Here are two examples illustrating what we’re referring to.
On a command line SFTP client:
$ sftp username@your_sftp_server
The authenticity of host 'your_sftp_server' can't be established.
RSA key fingerprint is SHA256:abcdefghijklmnopqrstuvwxyz1234567890.
Are you sure you want to continue connecting (yes/no)?
On a GUI-based SFTP client:
That fingerprint, which is the server's SSH/SFTP key fingerprint, plays an important role in secure file transfers. In this post, we’ll explain what it is, how it helps secure your SFTP file transfers and how you should use it for maximum effectiveness.
Before we proceed, we’d like to remind you that SFTP runs on the Secure Shell (SSH) protocol and derives its security functions from the latter. So, for instance, an SFTP server is essentially an SSH server. With that in mind, be prepared to see the terms SSH and SFTP used alternately throughout this post.
Importance of SSH/SFTP server authentication
When you encounter the term “authentication” in the context of file transfers, chances are what comes to mind is user authentication or client authentication. In user or client authentication, the server checks the identity of the user or client that’s attempting to access the server’s resources. User or client authentication is important because you want to limit server access to legitimate users or clients.
That said, server authentication is also important, as you want to ensure your users only connect to servers they intend to access. If they unintentionally connect to a malicious server impersonating your server, your users could end up sharing their login credentials with threat actors. Those threat actors could, in turn, use those credentials to gain unauthorized access to your server.
Not only that, your users might upload sensitive files to that malicious server, thereby exposing your organization to a potential data breach. Lastly, your users might download trojans planted on the server, exposing your network to a potential malware outbreak.
Server authentication allows users to check whether the server they’re about to establish a connection with is really the server they want to access. It protects users from spoofed servers and other forms of man-in-the-middle attacks.
Not all file transfer protocols support server authentication. For instance, the standard File Transfer Protocol (FTP) doesn’t provide any feature for authenticating an FTP server. The ability to authenticate not only users, but also servers, is one of the major advantages of SSH and SFTP. When you combine user/client authentication with server authentication, both your SSH clients and your SSH server can be protected when they establish an SSH connection.
Before we proceed, we’d like to share something with you. If you’re using SFTP to carry out secure file transfers, you might want to try JSCAPE MFT by Redwood. JSCAPE MFT supports SFTP and several other secure file transfer protocols, ensuring interoperability with any trading partner.
It also comes with low-code/no-code automation templates that enable you to automate any file transfer workflow with just a few clicks. Experience the power of JSCAPE..png?width=2500&height=525&name=FINAL_JSCAPE_CTA_wText_ver2%20(1).png)
Why are SSH host key fingerprints used in server authentication?
SFTP server authentication is actually a form of public key authentication. This means it uses private key/public key pairs. During server authentication, the SFTP server sends a copy of its public key to the SFTP client. The client then checks to see if it already has a copy of that public key. If a match is found, the authentication succeeds and an SSH connection is established. Other cryptographic processes, such as key exchange and symmetric encryption, are involved, but we won’t talk about those processes here.
Server authentication can only succeed if the SFTP client already has a copy of the public key in question. So how does the client obtain that public key? The first time an SFTP client attempts to connect to an SFTP server, the client obviously won’t have a copy of the server’s public key yet.
Upon receiving the public key for the first time, the client displays a fingerprint of that key for the user to inspect. A key fingerprint is a hash function of the key in question. It’s essentially a condensed representation of the key. If you’re unfamiliar with hash functions, we suggest you read our blog post “Understanding Hashing” first.
Why would an SFTP client display the public key’s fingerprint and not the public key itself? Public keys are quite long. A typical public key in Rivest-Shamir-Adleman (RSA) format would look like this:
On the other hand, a typical MD5 fingerprint would look like this:
MD5:ab:cd:ef:12:34:56:78:90:ab:cd:ef:12:34:56:78
As you can see, key fingerprints are much shorter. While the format of a fingerprint can vary depending on the hashing algorithm used — e.g., SHA-256, SHA-1, MD5, and so on — all key fingerprints are always shorter than their corresponding keys. So, if you’re supposed to manually verify a server’s identity, it’s going to be easier to inspect a server’s fingerprint than its public key.
How to use SSH host key fingerprints properly
Once a user manually verifies the server fingerprint, their SFTP client will store a copy of the remote server’s public key in its local key file. The user’s client can then simply look up that stored public key every time it connects to the server in question.
As long as its stored copy of the public key and the public key sent by the remote server match, the client will no longer prompt the user to inspect the key fingerprint. Instead, the client will automatically run through the server authentication process in the background.
Now, because all subsequent server authentication processes with that particular server are automatic, it’s important that users take the fingerprint inspection step seriously. If they don’t, and the server is actually malicious, your users could end up exchanging data with threat actors.
You can share your server’s fingerprint with users through email, a phone call, a members-only web page or any secure out-of-band channel. To avoid connecting to a bogus server, users must only use server fingerprints obtained from an official source.
How to obtain the SSH/SFTP fingerprint if you’re an administrator
Before you can share your server’s fingerprint with users, you have to know what it is. Here are some steps you can follow to obtain your server’s fingerprint.
Using the Linux command-line
Many Linux distributions include OpenSSH as part of their default installation. So, if your SFTP server runs on a Linux machine, you can simply connect to that server using the built-in command-line SFTP/SSH client. If you do that, you should see an output similar to the one below.
sftp username@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:eGgmbTThz5YwSb7HsbwY7U12ZbVcLUq+7R9tiZgXY1A.
Are you sure you want to continue connecting (yes/no)? yes
Just be sure there is no 'localhost' entry inside your ~/.ssh/known_hosts file. If the file contains that entry, delete the entry before attempting the connection. The presence of the ‘localhost’ entry means the local SSH client has already registered the local SSH server’s key, and won’t display the server’s fingerprint anymore.
Alternatively, you may run the following command if your Linux installation includes the ssh-keygen utility tool:
ssh-keygen -lf /path/to/public_key/pubkey_in_openssh_format.pub
Be sure to replace ‘/path/to/public_key/pubkey_in_openssh_format.pub’ with the actual path to the server’s public key file.
Using a GUI-based SFTP client
If your SFTP server runs on Windows, you may use any graphical SFTP client such as WinSCP, FileZilla or JSCAPE AnyClient by Redwood to connect to your SFTP server. You should see something like this:
Get Started
Not a customer yet? Complete the form on our Free Trial page to evaluate JSCAPE firsthand.
Related posts
How To Install A SFTP Server on Windows
An Overview of How Digital Certificates Work
Setting Up Public Key Authentication Between Trading Partners
Setting Up SFTP Public Key Authentication On The Command Line