For years I used a local FTP server to distribute alpha and beta versions of my software to testers. But with the steady increase of NATs and firewalls FTP became slightly annoying, because of its multiple connections. As I use FreeBSD for my server anyway it was a simple choice to replace FTP with SFTP because it only uses one connection.

The negative aspect of using SFTP is the lack of readily available clients for end-users. FTP is incorporated into all browsers, so it's easy for them to use because they know their way around their browser. Mostly.
Using SFTP, however, requires them to to download, install and get comfortable with another piece of software.

Authentication is another negative. Because SFTP is SSH, it's a wonderful target for anyone trying to break into your system. So I decided to go with public/private-key authentication (Actually, not until tailing my logfile wasn't enough because of thousands of failed login-attempts in a short period of time).
End-user-friendly? Nope!

So each and every time I give someone access to the server or someone switches operating systems I need to hold their hands and guide them through the process on how to connect.
That's why I write this, to end that once and for all.

Windows

Required Software

Download and install the following software: * Part of PuTTY-Suite. Download the installer here.

The Key

PuTTYgen is used to generate the private/public-key pair.

(1) Generate a new key. Move your mouse wildly but without destroying anything. ;P

(2) Choose a pass-phrase to secure the newly created key. You will need to enter this every time you load the key in Pageant.

(3) Save the private key to a file and remember its location. This key needs to be added to Pageant's key-ring. (see below)
You may also save the public key for backup-purposes.

(4) This text-box contains the public key. It is this very key that needs to be sent to the server's administrator so that he can authorise you for accessing the server.
Alternatively the public key can be saved to a file (see (3)) which then can be sent to the administrator. The result is the same. It only depends on the means of communication and which way is more convenient for you.

Finally add the key to Pageant. Right-click Pageant in your system-tray and select Add Key to add your private key to its key-ring.

Setting up the keys is hereby done.
[Continue to Configure FileZilla]

Unix-like (FreeBSD, Linux, Mac OS X)

Required Software

Unless you are using some obscure Linux-distribution or some other strangely configured system, all you need to do is installing FileZilla, because everything else is already installed.
Download the client for Mac OS X from here. On FreeBSD use the ports- or package- collection and on Linux use your favourite package manager.

The Key

Open up your terminal.

Firstly, check if you don't already have a public/private-key pair:

$ ls ~/.ssh/id_rsa.pub
If ls cannot find the file, there is no key and a new one needs to be created:
$ ssh-keygen
Accept the default path for the key and enter a pass-phrase to protect your private key. You need to enter this phrase every time ssh-agent loads the key, which depends on your configuration, but usually means: only when the key is needed and after restarting the computer.

Now that there is a valid key-file, the key within it or the file itself needs to be sent to the server's administrator.

Configure FileZilla

Start FileZilla and open the SiteManager:

Create a New Site (1) and enter the appropriate information:

(2) & (5) Enter the hostname, optional port and username as required by the server you want to connect to.

(3) Set the server-type to SFTP (surprise, eh?)

(4) Change the logon-type to Interactive so that FileZilla asks for the key from Pageant (Windows) or ssh-agent (Unix-like)

If you are running Windows make sure that Pageant is running before trying to connect.

You may connect now!

9 comments
02012-May-9, Wed 19:12
Maik
Hi
Thanks for that write-up, I've been using Filezilla and Pageant for a while on a Windows box, is it possible to transfer the key to a Linux box (and how would I do it)?
02012-May-9, Wed 19:57
morlad
The short answer is: Yes, you could use PuTTYgen.exe to load your private key on Windows and then use "Export OpenSSH..." in the "Conversions" menu. The newly created key-file can then be used under Linux.
However: That's a very bad thing to do. You should rather create a new key-pair on the Linux box and add this new public key to the server's authorized_keys. (Or let the server admin add it). There are only very few occasions for which using the same key on multiple machines makes sense. And if you encounter one of them, you are most likely at a point where you don't have to ask, how to transfer a private key from one machine to the other ;)
Just imagine if you copy the same key on multiple machines and one of the machines gets compromised (either by being hacked, stolen, ....). Hence the key, which in this scenario is the key on all machines, becomes compromised and needs to be removed from the server's authorized_keys. And instead of just moving on, because access for the compromised machine was revoked, you need to create a new key-pair and then copy the key to all other machines again, and so on.
Maybe this is a bad example, but it's the only one in terms of practicability that I could pull out of my hat right now.
There are lots of other reasons why you shouldn't just copy keys between machines.
Also, creating a new key-pair on Linux (and most of the time the installation already creates one for the machine) and getting its public key into the server's authorized_keys seems quicker to me.
02013-Mar-19, Tue 5:57
Julie
This has been very helpful. Thanks!
02013-May-15, Wed 5:48
robin
thakns alot mann!!!! great :)
02013-May-29, Wed 17:37
Ed Greenberg
Count one happy Linux sysadmin. This page will be very helpful in getting people connected with Filezilla.
02014-Aug-30, Sat 3:36
Jim N
Excellent. Please share this link for others to find.
02015-Aug-11, Tue 13:03
John
Do we require Password while using the key ?
02015-Aug-11, Tue 14:24
morlad
The private/public key authentication is a replacement for password-based authentication. Hence you do not need a password to access the server.
However the private key can (and probably: should) be protected with a passphrase. So a passphrase is required to unlock the private key on the local machine.
Unless the private key was created without a passphrase, of course. Then no password is required at all. But this removes nearly any security of the server, since the private key file is all that is needed for access. And a tiny file can get into the wrong hands very easily... (choose whatever attack vector suits your paranoia).
02017-Feb-1, Wed 8:41
andrew
I used this to help me setup one of my users connect to SFTP in 2013, and have just used it again now. Admittedly I used ssh-keygen on a FreeBSD vm to setup the keys, and then puttygen to convert the private key so it could be used with Pageant and Filezilla on a microsoft machine. A few hiccups but your notes are very helpful. Thanks again
Post Comment