Integrate SSH Public Key Authentication in Active Directory

Overview

TurboFTP Server is a multi-protocol secure file transfer server. SFTP and SCP are popular file transfer protocols that generally run on top of the SSH secure layer. When it comes to user authentication in SSH, public key authentication is considered more secure in that no password is sent over the network. TurboFTP Server supports SSH public key authentication in two different configurations. The first one is quite simple and similar to the OpenSSH server running on Linux: the server looks for the user's SSH public key in the ssh_key subfolder under the user's home folder. If a PEM format SSH public key exists, it will be loaded to authenticate the user (the ssh_key folder is hidden from the user's view then the user browses their home directory).

Alternatively, suppose Active Directory is the authentication method of a domain in TurboFTP Server, and you want to use SSH public key authentication for users to access SFTP/SCP service. In that case, the SSH public key needs to be stored as an Active Directory attribute. This guide assumes a valid AD user attribute sshPublicKey has been assigned to store the user SSH public key and shows how to configure TurboFTP Server and SFTP Client to make SSH public-key authentication work.

Mapping SSH public key to AD users

To map the SSH public key to an AD user, we need to use ADSI Edit.

  1. Launch MMC and add ADSI Edit as a snap-in to MMC.

  2. Search for the user in the tree, right-click on it and select Properties. All attributes can be edited there.

  3. Select Attribute Editor, select sshPublicKey, and double-click on it. Copy and paste the user PEM format SSH public Key (only the Base64 key blob, excluding any delimiters or attributes) here and click OK.

Configure TurboFTP Server to use AD as an external authentication source

Please refer to the article Set up Active Directory or LDAP Authentication in TurboFTP Server for this procedure.

To enable SSH public key authentication, ensure to enter the name of the AD attribute where the user's public key is stored.

Configure SFTP Client for SSH public key authentication

We demonstrate SFTP client configuration with the TurboFTP client.

  1. Launch the TurboFTP client, and select the site to configure in Address Book.

  2. Go to the Security tab and enable Use SSH public key authentication; provide the paths to the user's public and private keys.