How does SFTP key based authentication work? Difference between SSH and SFTP keys

ssh linux authentication sftp openssh

There is no such thing as "SFTP key authentication", nor is there an "SFTP key" at all.

SFTP always uses standard SSH as the transport – the differences only begin after you've suc­cess­ful­ly au­then­ti­cat­ed (the client then requests either an interactive session, or an 'sftp' subsystem session). In other words, SFTP works exactly the same way as Git-over-SSH or Rsync-over-SSH.

Finally, SSH keys are not used for encryption; all of them are used for authentication only (in both directions). So the sentence that you've read and quoted is bogus in every possible way.

There are however two key pairs used for authentication – one belonging to the server (created during install) whose public key is verified by the client, and one belonging to the client, whose public key is verified by the server.

The overall process for both SFTP and interactive SSH is:

  1. Session key exchange: The client and server use (usually) Diffie-Hellman to negotiate the symmetric encryption keys.
  2. Host key checking: The server authenticates itself by using its private key to sign some data, which the client verifies against its known_hosts. (The signed data includes the previously negotiated session key and other parameters, preventing MitM attacks.)
  3. User authentication: The client authenticates itself by using its private key to sign some data, which the server verifies against its authorized_keys. (In this stage, the data is just a random challenge.)
  4. Session setup: The client opens several channels to interact with the server (such as an "agent forwarding" channel, a "TCP forwarding" channel, an "interactive shell session" channel, a "non-interactive shell command" channel, or an "sftp subsystem" channel).

The client can even open multiple sessions over the same connection – clients which support multiplexing such as OpenSSH or Tunnelier will allow you to authenticate just once, then run several interactive shells and/or SFTP transfers all over the same connection.

(Also, I'm very likely to be mixing up the relative order of SSH 'sessions' vs 'channels', but at least you get a rough idea.)

Note that the client in step 3 can authenticate itself in other ways (such as Kerberos or a simple password) instead of being required to use a keypair. This is still exactly the same for both SFTP and interactive SSH.

Related

How do I access the Processor power management options in Windows 10?
Can a subdomain also have a hostname?
Unknown ethertypes 0x88e1 and 0x8912 from my Fritz Box
What is this large clickable question mark in Finder window?
Compare and Match two values in two databases
"no matches found" error when using youtube-dl
Is it possible to build Linux kernel inside an LXC container?
Meaning of phrase "rent full month"
How far back does the distinction between "interpreter" and "translator" go in English?
When is a a comma needed?
What do you do with todos?
Concluded + name of the person for a press release [closed]