Can I use a certificate with sftp?

I've been sending and getting files using Linux sftp to various providers for many years. The scripts to do this are batch/unattended and utilize a public key for authentication.

A few days ago, this mechanism stopped working with one of the information providers. They said I needed to install a certificate on my end. I've never installed a certificate for this process for either this provider or any other. I'm puzzled as to where I should install this certificate and how sftp is to reference it. I see not command line parameters for specifying a certificate. I'm thinking the provider is mistaken that I need such a thing, but I want to confirm one way or another before I say anything.
LVL 1
jmarkfoleyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Travis MartinezSmoke JumperCommented:
Are they asking you to use an SSL certificate?  SFTP works off of SSH keys only.  You'll need to use something like FTPS to use an SSL certificate.

Here's some information about it.

https://www.secureblackbox.com/kb/articles/FTPS-vs-SFTP.rst
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Travis MartinezSmoke JumperCommented:
From some further research it looks like "curl" would be your best option.  it has a switch for --cacert <CA Certificate>.

And to be fair I'm probably off.  The Linux guys will likely correct me here after a bit.
0
jmarkfoleyAuthor Commented:
Travis Martinez:
From some further research it looks like "curl" would be your best option.  it has a switch for --cacert <CA Certificate>.
Well, we really would rather stick with sftp and not change to curl. We've been doing the sftp things for quite a number of years and I'm thinking these guys are just confused. Perhaps they thought I said "FTPS" instead of "sftp".
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Travis MartinezSmoke JumperCommented:
Then it very well may be they are not understanding the situation.  If you're using SFTP they should know that an SSL certificate can't be used as an authentication method.
1
arnoldCommented:
Sftp is a component of ssh, using ssh-keygen -t rsa, ssh-keygen -t dsa
Then using id_rsa.pub and/or id_dsa.pub and adding it into the account, authorized_keys2
Which seemingly what you are using, public keys.

The ssh key exchange will need not use interactive, username/password but for sevurity, ssh keys are commonly protected by a passphrase.

You should get more detail what they mean, potentially, the certificate might be for a VPN setup before sftp.

openssl s_client -connect
Can be used to test and see secure connection info.
0
jmarkfoleyAuthor Commented:
I've talk to the tech-guy. It is his feeling that we need to install the certificate he sent me in order to use my public key. This is news to me. Correct me if I'm wrong, but on the server end of the sftp connection, all they have to do is make sure there is a user defined in /etc/passwd and that this user is enabled in /etc/ssh/sshd_config, correct?

For the client, a key must be generated using ssh-keygen, then that key copied to the server's authorized_keys file in $HOME/.ssh for that user. That's it, right?

It's been a long time since I've set this stuff up. Does the client have to log in with a password first?
0
arnoldCommented:
It is hard to answer. Use OpenSSL to see what the certificate they sent you.
Where do they say you have to install this certificate.
Use sftp -vvvv so that you can see the debug and the key exchange to see if the certificate saved in a file and whether it is presented by your side to the other as a means of identification.
0
jmarkfoleyAuthor Commented:
arnold:
It is hard to answer. Use OpenSSL to see what the certificate they sent you.
Certificate:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=OH, L=Columbus, O=State of Ohio, OU=vptwbat01, CN=vptwbat01, OU=vptwbat01/serialNumber=49A1...
        Validity
            Not Before: Mar  1 13:44:23 2018 GMT
            Not After : Apr  9 13:44:23 2022 GMT
        Subject: C=US, ST=OH, L=Columbus, O=State of Ohio, OU=vptwbat01, CN=vptwbat01
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier: 

   Signature Algorithm: sha256WithRSAEncryption
         18:0e: ...

Open in new window

Where do they say you have to install this certificate.
They don't say.
Use sftp -vvvv so that you can see the debug and the key exchange to see if the certificate saved in a file and whether it is presented by your side to the other as a means of identification.
There is no error. I'm simply prompted to login in with a password. No certificate info presented. If I use the password, I get in.
0
jmarkfoleyAuthor Commented:
Hurray! Fixed. The 'tech' guy manage to either install our public key in the correct place or otherwise did something on their end to fix it. He didn't go into detail about what he did, so I can't post an definitive answer about the resolution. However, the point is that I did not have to install any "Certificates" or make any other changes in this end. sftp does work the way I thought it did.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.