How to use SFTP (with server validation - public key files)

As discussed in How to use SFTP (with server validation - known hosts), SFTP clients can validate servers by loading a list of approved servers and their public keys, and checking the server key against this list. The list is generally maintained in a file called known_hosts.

In SSHFTPClient, server validation is always enabled by default - it must be explicitly disabled as described in How to use SFTP (without server validation).

Server public keys can also be maintained in their own individual key files and be used for server validation without adding them to the known_hosts file. The SSHFTPValidator supports explicitly adding server public keys.

The addKnownHost method requires the hostname and the public key file, as shown below:


Note that the server may send back an RSA key or a DSA key. If the key file contains a DSA key for the host, and an RSA key is returned, server validation will fail. The server can be forced to send back a particular type of key as described in How to use SFTP (choosing algorithms).

SSH public key files have two standard formats - OpenSSH and SECSH. edtFTPj/PRO supports both these public key formats. Formats can be recognized by their first line as shown in the table below:

Public key type Start of first line
OpenSSH (DSA) ssh-dss AAAAB3NzaC1kc3MAA ...
OpenSSH (RSA) ssh-rsa AAAAB3NzaC1yc2EAA ...

You can convert between OpenSSH and SECSH using OpenSSH's ssh-keygen (which by default generates OpenSSH keys).

For example, to convert an OpenSSH public key generated by ssh-keygen to SECSH for use in a commercial SSH server, use:

ssh-keygen -f keyfile -e > keyfile.secsh