Using SSH2 Key Pairs

You can authenticate SSH2 connections with a certificate (public key). To use "public key authentication," you must send your public key to the server administrator before making an SSH2 connection. If the server is running OpenSSH, you must convert the public key as described below.

If you have upgraded to CuteFTP v9 and are using key pairs created with CuteFTP v8, if the password for an existing key contains any Extended ASCII characters, the password will not work. You will have to reenter the password in Tools > Global Options >Security > SSH2 Security.

To use public key authentication in SSH2

  1. Create an SSH2 key pair.

  2. Send the Public key to the SSH2 server administrator.

  3. On the main menu, click Tools > Global Options, or press ALT+F7.

  4. Expand the Security node, then click SSH2 security.

  5. Select the Use public key authentication check box.

  6. In the Public key path and Private key path boxes, specify the path to your public and private keys

  7. In the Use Passphrase and Confirm passphrase boxes, type the passphrase for the key.

  8. Click OK.

The private key and passphrase are never transmitted over a connection. When the server attempts to authenticate:

  1. The server encrypts a random number with your public key and sends it to you.

  2. If you have not entered your passphrase in SSH2 security settings, CuteFTP asks you for your passphrase to activate the private key.

  3. The private key decrypts the number and sends it back to the server.

  4. The server recognizes the number as correct and allows the connection.

To convert the public key

  1. Create an identity file in the client.

  2. Send the public key (Identity.pub) to the server administrator (via FTP, e-mail, etc.)

  3. The server administrator must convert the public key to OpenSSH, check it with wordcount, and add it to authorized_keys.

    Command sequence:

    ssh-keygen -i -f Identity.pub > sshpub

    wc sshpub

    cat sshpub > ~\.ssh\authorized_keys

Word count should return a "1" as the first number. OpenSSH asks for the identity files password the first time you log in. If CuteFTP fails to connect, contact our support team and provide the kernel version, OpenSSH build, and the CuteFTP build number (located under Help > About).