SFTP Key Authentication for UNIX

Follow the steps below to define SFTP key authentication on a UNIX operating system. On Windows, there are several software products that set up key authentication, each is different. For more information, see your vendor's documentation.

Note that the RA FTP Agent only supports kext for SFTP that are compatible to OpenSSH. Putty keys must be converted to the OpenSSH format using PuTTYGen. The following steps are required for this purpose (with Windows Putty):

  • Start the PuTTY Key Generator (PuttyGen).
  • Select the menu item Conversions.
  • Load the existing Putty key via Import Key.
  • Now convert the OpenSSH key by using the Export command.

Note that certain settings in the JVM may lead to an authentication error and a subsequent abnormal SFTP Job ending. To avoid such a problem, Broadcom recommends downloading the Java Cryptography Extension (JCE) from the JVM producer and importing it according to the description.

To define the key-pair for SFTP on UNIX:

  1. On the host where the RA FTP Agent is running, enter the ssh-keygen -t dsa command.

    2. The ssh-keygen command should be executed on the host where the Agent is running. The username and hostname the command is executed under are stored in the public key file. Below is a sample listing of a public key file.

    ssh-dssAAAAB3NzaC1kc3MAAACBAKzRW/a7WQdedMupC/avmFFuAib001aGcrrNwe

    93iZBbIy8miAXgrzBYMTc17rTb4pZiw/tl

    gWlmPDZETu1A1Wn6Rg4WXiRe0o7YfHMaYkQnObLojKfAYwBW1P7RnlKgvxtp5pTEA+

    +xbb7OkNmLjq2Xg4blf41ibBVSlE8HBAAAAFQDAZJ47Sz76Eb5wCcAMhiViJe3wUwA

    AIB2CCOH0tcToyXu6npMmCL0CpS+X5UAHAwp0pdMNfDNzSM4Opuht0ti5nf69+c1rA

    ORHQSrMocHM0yu0wR1Wiiz5RalvpT55YG2+46SXlS5d2RwdeE7TnsTH8u5r8Ra2L0i

    BFF11mDvxEkiO4w8OTqmM1TQImzZxszM5S7BNiEwAAAIAk4is1gOrjeNHuM9hMsGj7

    HlhFTUhHG+5fLP5lNHEPt3ggnN7EGRKk7h0fLJimzYv5XL690

    GpcBDnXFUAHXzwMuHBnYCgJxPz56WHlk

    kZjKKTTdHjBI9vQjoCdpygHKc3vBYnIENjUg3Y5BlL4bZDUWU4k4MQ8AgEh81TKOaA

    = qa4@xpert64.example.com

    The highlighted text above qa4@xpert64.example.com is the signature for this key file. This means that the ssh-keygen command was executed on xpert64.example.com and under username qa4. This also means that the Agent must connect to host xpert64.example.com with the username qa4 and must have the private key file.

  2. Respond to all the questions the above command prompts you to. To use defaults, simply hit enter.
  3. When this command finishes two files will be created, they are: id_dsa and id_dsa.pub. The id_dsa.pub file is the public key, the id_dsa file is the private key.
  4. Take the public key file and place it on the server (where the FTP server is running) in the $home/.ssh directory, then rename it to authorized_keys. If this file already exists on the server then append your public key file to the existing one. To do this you may execute the following command:

    5. cat id_dsa.pub >> authorized_keys.

  5. Now on the host where the RA FTP Agent is running, you need the private key. The private key is used to authenticate the connection with the public key contained in the authorized_keys file on the server.
  6. On the RA FTP Agent Connection object for the SFTP Connection object respond to the following fields:
    • SFTP key authentication

      • Check this box.

    • Key File

      • The absolute path where the private key file is located. The private key has to be located on the host where the RA FTP Agent is running.

    • Pass Phrase

      • If you entered a pass phrase when creating the key-pair files with the ssh-keygen command, enter the same pass phrase here.

Below is an example of the Job output when using SFTP key based authentication. The two bold lines in the Job output show the private key file being used.

host name = xpert64.example.com

remote user identification  = qa4

Using SFTP private key file: /u01/users/qa4/.ssh/id_dsa

Not using pass phrase

session created

known hosts file = C:\Documents and Settings\sport/.ssh/known_hosts FtpAgent_FTPFileTransferJob_connection completed_s

sftp channel opened