Authenticating users via PKI

We have already talked about the SSH Server Key, which is used to verify the server’s identity and to negotiate the security (hmac/encryption) parameters. In this article, instead, we want to explain how to use PKI to authenticate users in Syncplify Server!

First of all, it is important to understand that – unlike Server Keys (or Host Keys) – these user-specific key pairs are not used for encryption, but only and exclusively to authenticate users, thus verifying their identity and decide whether to let them log into the server or not.

Authenticating users via PKI certainly grants a much higher degree of security than simply using a password, and is, therefore, a highly recommended authentication method.

Method #1: user-generated key pair (recommended)

To ensure the highest degree of protection for the user, and prevent the potential loss of the private key, it is highly recommended that the user generates the RSA key pair (both private and public key) and then sends only the public key to the server operator.

This can be done, for example, with the following shell command on a Linux client:

ssh-keygen -t rsa -b 4096

Or, in Windows, it’s easily doable using the excellent PuTTYgen tool, as shown in the images here below:

Regardless of the OS (Linux or Windows) the user needs to save both public and private keys after they are generated, and:

retain the private key (will be used in the SSH/SFTP client to connect to the server)
send the public key to the Syncplify Server!’s administrator

Once the Syncplify Server! administrator receives the user’s public key, he/she will have to import it into the authorized keys for that specific user, and enable PKI authentication for that user profile, as shown in the pictures here below:

After importing the user’s public key, the Syncplify Server!’s administrator will simply save the user profile, and that’s it: the user can now authenticate and log in using his own self-generated key pair.

Method #2: server-generated key pair (not recommended)

Alternatively the Syncplify Server!’s administrator can generate the key pair and send it to the user, while Syncplify Server! only retains (stores in its configuration database) only the public key. This method is not recommended because it implies the private key being sent over the network, which might be unsafe, but it’s much easier than the previous method, and it can actually be suitable and safe in closed environments (like when the key pair is given to an internal user or an employee) in a safe way.

In this case, the Syncplify Server!’s administrator will still need to enable PKI authentication for the specific user profile:

Once done, the Syncplify Server!’s administrator will simply need to save the user profile, and send/give the generated PPK file to the user.

How to be notified of new releases

Setup on Windows (GUI)

Setup on Windows (CLI)

Setup on Linux

Updating/upgrading Syncplify Server!: the general rule

Upgrading from v4/v5 to v6

How to move/migrate your software to a different machine/VM

How to recover (decrypt) old v4/v5 encrypted VFSs

High-Availability (HA) general concepts

High-Availability (HA): how to setup

Licensing and license codes: a complete overview

How to fix "Invalid OTP" error during setup

Where is the manual?

Using network shares (UNC paths) with Syncplify Server! v6+ on Windows

Using network shares (UNC paths) with Syncplify Server! v6+ on Linux

How to backup your Syncplify.me Server! v4/v5

Insecure warning in your browser? It might be OK...

Virtual File System (VFS) Encryption

Overriding permissions on folders/directories

How to change a SuperAdmin password

How to reset the SuperAdmin (SA) password in v4/v5

How to disable 2FA for a SuperAdmin account

How to auto-fix problems with the Web/REST system service

True 2FA/MFA over SSH2/SFTP via keyboard-interactive authentication and Google Authenticator

How to use the SFTP Virtual File System (VFS)

How to use the S3 Virtual File System (VFS)

New PageHow to use the Azure blob storage Virtual File System (VFS)

How to use Google cloud platform's object storage Virtual File System (VFS)

How does the block-list (Protector!) work?

Block-list, allow-list, and safe-list

Authenticating users via PKI

Customizing SFTP and FTP(E/S) greetings and banners

How to override permissions on subfolders inside the user’s Home VFS

FATAL ERROR: Connection reset by peer (could not connect to server)

Virtual File Systems (VFS) with quotas

Solved: insecure FTP data connection (TLS session resumption)

Parametric home directories (VFS)

Cannot connect: "unexpected message type 30 (expected one of [34])" reason found in log file

How to backup your Syncplify Server!'s database

How to email a list of uploaded files

VFS.ImportFile and VFS.ExportFile

Preventing upload of EXE files

No, we are not affected by Log4j vulnerability (CVE-2021-44228)

How Syncplify.me Server! prevents SSHPsycho attacks

W3C log file format and UTC timestamps

Firewalls and FTP external IP address for PASV

Where do I download the old v4/v5 installers?

Authenticating users via PKI

No Comments