cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Confused about public and private keys

Go to solution
Former Member

on ‎03-23-2009 7:22 PM

0 Kudos

Hi,

Im trying to send data to a bank from XI using SFTP.

We are planning to use public and private keys to secure the process.

So if i have to send the data securely to the bank what should i do?

my understanding is : i will need the public key of the bank to encrypt my session and data and use private key given by the bank instead of pwd login.

Is this right?

But the bank documentation says that we have to "exchange public keys". Whats that for?

i guess it is when the bank sends data to XI. is this right?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

prateek
Active Contributor
‎03-23-2009 9:14 PM
0 Kudos

Just to make sure, standard FTP adapter does not support SFTP. Are you using some third party or custom adapter for SFTP scenarion or you are using FTPS?

Regards,

Prateek

Show replies
Show replies
Former Member
‎03-23-2009 9:17 PM
0 Kudos

Im developing a Java proxy and going to put a Java Program that does SFTP inside it.

As far as i understand , the private key mentioned in the api is used instead of the pwd.

So what i require is a private key from the server(used instead of the pwd) and the public key for encryption.

Former Member
‎03-24-2009 12:41 AM
0 Kudos

The SSH transport layer will be taken care of by your SSH libraries. See rfc4253. All you really need to know is that it will negotiate with the other server which keys and algorithms to use to actually secure the channel. Once the transport layer is secure, it will move on to authentication.

Note: You may also need/want to verify the target host really is the host you think it is. This will require using a known_hosts file or equivalent process on your side. Be careful with the java libraries. Some of them default to prompting the user for a response to add the target host to the known_hosts file. The user prompt is obviously not good if there is no user to respondu2026

Public/private keys can be used as part of the authentication process. Your partner will typically add your public key to the target useru2019s authorized_keys file. This letu2019s you login as that user without a password. So, basically you need to generate keys (i.e. ssh-keygen -t rsa -C "MyComment") , send the partner the public key, tell your java library where your private key is, then give it a try. Of course there is more too it, but hopefully this answers your question.

Thanks,

-Russ

Former Member
‎03-24-2009 2:46 AM
0 Kudos

hi...

i think in your scenario you are dealing with 2 way ssl...unlike 1 way ssl that you have conceptualized...

Former Member
‎03-24-2009 5:39 PM
0 Kudos

Hi Russell,

Thanks for your valuable inputs. yes i understand that i have to give my public key to the server im going to connect to and get the public key of the sever that's goin to connect to me and this will enable me to login without prompting for the password.

But what should i do with my private keys?

im using a java program to start the SSH session.

what should i do to make the private key known to my java prgrm. and why should i do this?

is it for the purpose when the FTP server is sending data to me? or is it for me sending data to the SFTP server?

Lets assume that the communication is just one way - XI sending data to a SFTP server.

I have to give my public keys to the server for it to be added there.

Then what is the next thing i should do?

in my program i have a constructor with Hostname,uid, pwd to create a SSH session..

so if ive done this i dont have to provide pwd and just pass en empty "" String in that field???

Former Member
‎03-25-2009 12:56 AM
0 Kudos

Hi,

When you send the message to the other party, you should be using his public key to encrypt, as such the other party can decrypt it back with his private key.

Your private key is only required when you get the message from your partner (INBOUND scenario), where you need to decrypt it back with your private key.

Private key is never exchanged, only public key is exchanged between systems.

Regards,

Lim...

Former Member
‎03-25-2009 5:46 AM
0 Kudos

If you are only acting as the client, then your private key will be used for authentication. If you are using a constructor which includes the password, then you could be telling the library to use a PasswordBasedAuth instead of PublicKeyAuth. I canu2019t say for sure since I donu2019t know the library you are using. You will need to search the library documentation for a Public Key Authentication classes. You will likely see HostBasedAuth, PasswordBasedAuth and PublicKeyAuth (or something similar, Iu2019m just guessing). Once you find the classes/config which supports public key auth, then you should also see methods to load/parse your private key. It all depends on the library how it is setup, but these 3 auth methods should be supported.

Thanks,

-Russ

Former Member
‎03-25-2009 1:49 PM
0 Kudos

Hi Russel,

Im using the jscape api, which library are you using? May be i need to switch as my api doesnt have such methods.

Former Member
‎03-25-2009 8:44 PM
0 Kudos

No need to switch unless you find some other reason. I download jcraft and created some sample code to get you started.

Good luck!

-Russ


package test;

import com.jcraft.jsch.Channel;
import com.jcraft.jsch.ChannelSftp;
import com.jcraft.jsch.JSch;
import com.jcraft.jsch.JSchException;
import com.jcraft.jsch.Session;
import com.jcraft.jsch.SftpException;

public class Test {

  public static void main(String[] args) throws Exception {
    
    JSch jsch=new JSch();
    String userHome = System.getProperty("user.home");
    try {
      jsch.addIdentity(userHome + "/.ssh/id_rsa");
      jsch.setKnownHosts(userHome + "/.ssh/known_hosts");
    } catch (JSchException e) {
      System.out.println("Failed to init JSch!");
      throw(e);
    }
  
    String user = "user_name";
    String host = "localhost";
    int port = 22;
    
    Session session= null;
    ChannelSftp sftp = null;
  
    try {
      try {
        session=jsch.getSession(user, host, port);    
        session.connect();    
      } catch (JSchException e) {
        System.out.println("Failed to connect to remote server!");
        throw e;
      }
      
      try {
        Channel channel=session.openChannel("sftp");
        channel.connect();
        sftp=(ChannelSftp)channel;
      } catch (JSchException e) {
        System.out.println("Failed to create sftp channel.");
        throw e;
      }
      
      try {           
        String currentDir = sftp.pwd();
        System.out.println("Working directory on remote system is: " + currentDir);           
      } catch (SftpException e) {
        System.out.println("Failed to invoke sftp command!");
        throw e;
      }   
        
      sftp.quit();
      
    } finally {
      if (session != null) 
        session.disconnect();             
    }
  }
}

Former Member
‎03-25-2009 10:00 PM
0 Kudos

Thanks a lot.

But jcraft is not documented properly at all, i just tried doing a simple program with pwd authentication i dont know where to give it. I cant use awt obviously! Could you just help me.

Former Member
‎03-26-2009 5:14 AM
0 Kudos

Authentication is attempted in this order (by default): publickey, keyboard-interactive, password

So, you donu2019t have to remove the addIdentity() line from the code (like I did below). If you leave it, it will try public key auth first. If public key fails, it will try password. Keyboard-interactive will be skipped unless you tell it to do it. If you end up wanting keyboard-interactive for some reason you will need create a class which implements the UserInfo interface. This is what is shown in the Sftp.java jcraft example. 

UserInfo ui=new MyUserInfo();
session.setUserInfo(ui);

However, I donu2019t think you want to interact with a user, so don't do this. Just set the password directly as shown below.

package test;
 
import com.jcraft.jsch.Channel;
import com.jcraft.jsch.ChannelSftp;
import com.jcraft.jsch.JSch;
import com.jcraft.jsch.JSchException;
import com.jcraft.jsch.Session;
import com.jcraft.jsch.SftpException;
 
public class Test {
 
  public static void main(String[] args) throws Exception {
    
    JSch jsch=new JSch();
    String userHome = System.getProperty("user.home");
    try {
//      jsch.addIdentity(userHome + "/.ssh/id_rsa");
      jsch.setKnownHosts(userHome + "/.ssh/known_hosts");
    } catch (JSchException e) {
      System.out.println("Failed to init JSch!");
      throw(e);
    }
  
    String user = "user_name";
    String host = "localhost";
    String pass = "123abc";
    int port = 22;
    
    Session session= null;
    ChannelSftp sftp = null;
  
    try {
      try {
        session=jsch.getSession(user, host, port);    
        session.setPassword(pass);        //Set the password **************
        session.connect();    
      } catch (JSchException e) {
        System.out.println("Failed to connect to remote server!");
        throw e;
      }
      
      try {
        Channel channel=session.openChannel("sftp");
        channel.connect();
        sftp=(ChannelSftp)channel;
      } catch (JSchException e) {
        System.out.println("Failed to create sftp channel.");
        throw e;
      }
      
      try {           
        String currentDir = sftp.pwd();
        System.out.println("Working directory on remote system is: " + currentDir);           
      } catch (SftpException e) {
        System.out.println("Failed to invoke sftp command!");
        throw e;
      }   
        
      sftp.quit();
      
    } finally {
      if (session != null) 
        session.disconnect();             
    }
  }
}

-Russ

Former Member
‎03-26-2009 2:08 PM
0 Kudos

Hi Russell,

thanks a lot for your help i really appreciate it. But i tried pwd login it just says failed to connect to the server. I dont know what im doing wrong. the details uid,pwd,host ip are all correct. i tried to connect using jscape library it works... ive added jsch-0.1.41.jar to my project in eclipse.

Do you find any issue with the program im using below.

import com.jcraft.jsch.Channel;

import com.jcraft.jsch.ChannelSftp;

import com.jcraft.jsch.JSch;

import com.jcraft.jsch.JSchException;

import com.jcraft.jsch.Session;

import com.jcraft.jsch.SftpException;

import com.jcraft.jsch.UIKeyboardInteractive;

import com.jcraft.jsch.UserInfo;

public class TestSSH {

/**

  • @param args

*/

public static void main(String[] args) {

JSch jsch=new JSch();

Session session= null;

ChannelSftp sftp = null;

try {

try {

session=jsch.getSession("username","ip address of the server",22);

session.setPassword("pwd");

session.connect();

} catch (JSchException e) {

System.out.println("Failed to connect to remote server!");

throw e;

}

try {

Channel channel=session.openChannel("sftp");

channel.connect();

sftp=(ChannelSftp)channel;

} catch (JSchException e) {

System.out.println("Failed to create sftp channel.");

throw e;

}

try {

String currentDir = sftp.pwd();

System.out.println("Working directory on remote system is: " + currentDir);

} catch (SftpException e) {

System.out.println("Failed to invoke sftp command!");

throw e;

}

sftp.quit();

}

catch (Exception e)

{}

}

Former Member
‎03-26-2009 11:10 PM
0 Kudos

In my example I didn't catch the exception, I just had a finally block to close the session. The main

method throws an Exception. In your example you will need to print the stack trace to see the error.

You may also want to create a Logger class to get more detail. I added two lines to your code:

1) JSch.setLogger(new ConsoleLogger());

2) e.printStackTrace();


public class TestSSH {

	public static void main(String[] args) {

		JSch jsch = new JSch();
		
		JSch.setLogger(new ConsoleLogger());
		
		Session session = null;
		ChannelSftp sftp = null;

		try {
			try {
				session = jsch.getSession("username", "ip address of the server", 22);
				session.setPassword("pwd");
				session.connect();
			} catch (JSchException e) {
				System.out.println("Failed to connect to remote server!");
				throw e;
			}

			try {
				Channel channel = session.openChannel("sftp");
				channel.connect();
				sftp = (ChannelSftp) channel;
			} catch (JSchException e) {
				System.out.println("Failed to create sftp channel.");
				throw e;
			}

			try {
				String currentDir = sftp.pwd();
				System.out.println("Working directory on remote system is: " + currentDir);
			} catch (SftpException e) {
				System.out.println("Failed to invoke sftp command!");
				throw e;
			}

			sftp.quit();
		} catch (Exception e) {
			e.printStackTrace();
		}
	}
}

Here's the ConsoleLogger class you will need to create:


public class ConsoleLogger implements com.jcraft.jsch.Logger {
	public boolean isEnabled(int level) {
		return true;
	}

	public void log(int level, String msg) {
		System.out.println(msg);
	}
}

Answers (1)

Answers (1)

Former Member
‎03-23-2009 8:17 PM
0 Kudos

The private key of a third party is never given to you, because it is used by the third party (in your case the bank) to decript what you have encripted with the third party public key.

When they say that you have to exchange public keys it means that you have to give the bank your public key and the bank has to provide you it's own public key so that the communication on both side can be encripted.

To be clear think about the public key as a mail box and the private key as the key to open the mail box.

Regards,

Sergio

Show replies
Show replies
Ask a Question