Advanced SSH Key Management

SSH keys are essential for secure SFTP and SCP connections in CompleteFTP. The server uses SSH key pairs for host authentication, while clients can use SSH public keys for user authentication. The CLI provides comprehensive SSH key management for both server-side host keys and client authentication keys.

Overview

SSH key management in CompleteFTP involves:

  • Server SSH keys - Host keys used to identify the server to clients
  • User SSH keys - Public keys for client authentication
  • Key algorithms - Support for RSA, DSA, ECDSA, and Ed25519 keys
  • Key import/export - Managing keys from files and other sources

SSH key operations use the completeftp site key and completeftp user key command groups.

Server SSH Key Management

Server SSH keys (host keys) are used to authenticate the server to connecting clients. CompleteFTP supports multiple key algorithms simultaneously.

Viewing Server SSH Keys

# Show all SSH keys for the default site
completeftp site key show default

# Show specific key types
completeftp site key show default rsa ecdsa.p256

# Use interactive viewer for detailed key information
completeftp site key show default -v

Available key types:

  • rsa - RSA keys (2048-bit or higher)
  • dsa - DSA keys (deprecated, not recommended)
  • ecdsa.p256 - ECDSA P-256 curve keys
  • ecdsa.p384 - ECDSA P-384 curve keys
  • ecdsa.p521 - ECDSA P-521 curve keys
  • ed25519 - Ed25519 keys (modern, recommended)

Importing Server SSH Keys

# Import RSA private key
completeftp site key import default /path/to/ssh_host_rsa_key

# Import password-protected private key
completeftp site key import default /path/to/encrypted_key mypassword

# Import ECDSA key
completeftp site key import default /path/to/ssh_host_ecdsa_key

# Import Ed25519 key
completeftp site key import default /path/to/ssh_host_ed25519_key

Removing Server SSH Keys

# Remove RSA key
completeftp site key remove default rsa

# Remove all ECDSA keys
completeftp site key remove default ecdsa.p256 ecdsa.p384 ecdsa.p521

# Remove deprecated DSA key
completeftp site key remove default dsa

# Remove multiple key types
completeftp site key remove default rsa dsa

User SSH Key Management

Users can authenticate using SSH public keys instead of passwords. This provides stronger security and enables automated access.

Viewing User SSH Keys

# List all SSH public keys for a user
completeftp user key show alice

# View keys with interactive viewer
completeftp user key show alice -v

Adding User SSH Keys

# Add SSH public key from file
completeftp user key add alice "$(cat /path/to/alice_id_rsa.pub)"

# Add key by pasting directly
completeftp user key add alice "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7... alice@workstation"

# Add ECDSA public key
completeftp user key add alice "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTY... alice@laptop"

# Add Ed25519 public key
completeftp user key add alice "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... alice@server"

Removing User SSH Keys

# List keys to see their indices
completeftp user key show alice

# Remove key by index (0-based)
completeftp user key remove alice 0

# Remove second key
completeftp user key remove alice 1

SSH Key Algorithms and Security

Algorithm Comparison

Algorithm Key Size Security Performance Recommendation
RSA 2048-4096 bit Good Moderate Acceptable
DSA 1024 bit Weak Fast Deprecated
ECDSA P-256 256 bit Good Fast Good
ECDSA P-384 384 bit Better Fast Better
ECDSA P-521 521 bit Best Fast Best
Ed25519 256 bit Excellent Fastest Recommended

Modern Key Recommendations

# Configure site to prefer modern algorithms
completeftp site set default sshKeyAlgorithm="ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256"

# Remove deprecated DSA keys
completeftp site key remove default dsa

# Ensure strong key exchange methods
completeftp site set default sshKeyExchange="curve25519-sha256,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256"

SSH Key Generation and Conversion

While CompleteFTP doesn't generate SSH keys directly, you can use standard tools to create keys for import.

Generating Keys with ssh-keygen

# Generate Ed25519 key pair (recommended)
ssh-keygen -t ed25519 -f /tmp/completeftp_ed25519 -N ""

# Generate ECDSA P-521 key pair
ssh-keygen -t ecdsa -b 521 -f /tmp/completeftp_ecdsa -N ""

# Generate RSA key pair (4096-bit)
ssh-keygen -t rsa -b 4096 -f /tmp/completeftp_rsa -N ""

# Import the private key to CompleteFTP
completeftp site key import default /tmp/completeftp_ed25519

Converting Key Formats

# Convert PEM to OpenSSH format
ssh-keygen -i -f key.pem > key.pub

# Convert OpenSSH to PEM format
ssh-keygen -e -f key.pub > key.pem

# Extract public key from private key
ssh-keygen -y -f private_key > public_key.pub

SSH Key Management Workflows

Initial Server Setup

# 1. Check existing server keys
completeftp site key show default

# 2. Remove weak DSA keys if present
completeftp site key remove default dsa

# 3. Import or generate strong keys
ssh-keygen -t ed25519 -f /tmp/host_ed25519 -N ""
ssh-keygen -t ecdsa -b 521 -f /tmp/host_ecdsa -N ""
completeftp site key import default /tmp/host_ed25519
completeftp site key import default /tmp/host_ecdsa

# 4. Configure preferred algorithms
completeftp site set default sshKeyAlgorithm="ssh-ed25519,ecdsa-sha2-nistp521"

# 5. Verify configuration
completeftp site key show default

User Key-Based Authentication Setup

# 1. Create user account
completeftp user add alice internal

# 2. Enable SFTP for the user
completeftp user set alice sftpEnabled=true

# 3. Add user's public key
completeftp user key add alice "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... alice@workstation"

# 4. Configure SSH authentication methods
completeftp site set default sshAuthMethods="publickey"

# 5. Test connection
# ssh alice@yourserver -i /path/to/alice_private_key

Key Rotation and Security Maintenance

# 1. Generate new server keys
ssh-keygen -t ed25519 -f /tmp/new_host_ed25519 -N ""

# 2. Import new keys
completeftp site key import default /tmp/new_host_ed25519

# 3. Update client known_hosts files
# 4. Remove old keys after transition period
completeftp site key remove default rsa

# 5. Verify only strong keys remain
completeftp site key show default

SSH Configuration Integration

Client Configuration

For clients connecting to CompleteFTP, configure SSH client settings:

# ~/.ssh/config
Host completeftp-server
    HostName your.server.com
    Port 22
    User alice
    IdentityFile ~/.ssh/alice_ed25519
    PubkeyAuthentication yes
    PasswordAuthentication no
    KexAlgorithms curve25519-sha256,ecdh-sha2-nistp521
    HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp521
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com

Server Algorithm Configuration

# Configure preferred key exchange methods
completeftp site set default sshKeyExchange="curve25519-sha256,ecdh-sha2-nistp521,ecdh-sha2-nistp384"

# Set preferred host key algorithms
completeftp site set default sshKeyAlgorithm="ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384"

# Configure cipher preferences
completeftp site set default sshCipher="chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com"

# Set MAC algorithms
completeftp site set default sshMAC="umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com"

Troubleshooting SSH Key Issues

Server Key Problems

# Check if server keys are loaded
completeftp site key show default

# Verify key file permissions (if importing from files)
ls -la /path/to/ssh_host_*

# Test server key with ssh-keyscan
ssh-keyscan -p 22 your.server.com

# Check SSH algorithm configuration
completeftp site show default sshKeyAlgorithm

User Authentication Issues

# Verify user has SSH keys configured
completeftp user key show alice

# Check if SFTP is enabled for user
completeftp user show alice sftpEnabled

# Verify SSH authentication methods
completeftp site show default sshAuthMethods

# Test public key format
ssh-keygen -l -f /path/to/public_key.pub

Key Format Issues

# Validate private key format
ssh-keygen -l -f /path/to/private_key

# Check public key format
ssh-keygen -l -f /path/to/public_key.pub

# Convert between formats if needed
ssh-keygen -i -f old_format.pub > new_format.pub

Security Best Practices

Server Key Management

  1. Use modern algorithms - Prefer Ed25519 and ECDSA over RSA
  2. Remove weak keys - Eliminate DSA and small RSA keys
  3. Regular key rotation - Replace server keys periodically
  4. Secure key storage - Protect private key files with appropriate permissions
  5. Monitor key usage - Track which keys are being used

User Key Management

  1. Enforce key-based authentication - Disable password authentication where possible
  2. Key lifecycle management - Remove keys for departed users
  3. Strong key requirements - Require minimum key sizes and modern algorithms
  4. Key documentation - Maintain records of user keys and their purposes
  5. Regular audits - Review user keys periodically

Algorithm Configuration

  1. Disable weak algorithms - Remove support for deprecated methods
  2. Prefer modern ciphers - Use ChaCha20-Poly1305 and AES-GCM
  3. Strong key exchange - Use Curve25519 and ECDH
  4. Secure MACs - Prefer ETM (Encrypt-then-MAC) modes
  5. Regular updates - Keep algorithm preferences current with security recommendations

Quick Reference

Server SSH Key Commands

# View server keys
completeftp site key show <siteName> [keyTypes]

# Import server key
completeftp site key import <siteName> <keyFilePath> [password]

# Remove server keys
completeftp site key remove <siteName> <algorithms>

User SSH Key Commands

# View user keys
completeftp user key show <userName>

# Add user key
completeftp user key add <userName> <publicKey>

# Remove user key
completeftp user key remove <userName> <index>

Key Algorithms

# Server key types
rsa, dsa, ecdsa.p256, ecdsa.p384, ecdsa.p521, ed25519

# Recommended algorithms (in order of preference)
ssh-ed25519
ecdsa-sha2-nistp521
ecdsa-sha2-nistp384
ecdsa-sha2-nistp256
rsa-sha2-512 (minimum 2048-bit)

SSH Configuration Properties


# Algorithm preferences
sshKeyAlgorithm="ssh-ed25519,ecdsa-sha2-nistp521"
sshKeyExchange="curve25519-sha256,ecdh-sha2-nistp521"
sshCipher="chacha20-poly1305@openssh.com,aes256-gcm@openssh.com"
sshMAC="umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com"

# Authentication methods
sshAuthMethods="publickey,password"