Rebex File Server
SFTP, SCP and SSH server library for .NET
Download 30-day free trial Buy from $349More .NET libraries
-
Rebex SFTP
.NET SFTP client
-
Rebex FTP/SSL
.NET FTP/SSL client
-
Rebex Total Pack
All Rebex libraries together
Back to feature list...
Private keys
On this page:
Loading and saving SSH keys
When an SSH connection is established, the server presents its public key to the client and proves ownership of the corresponding private key. This makes it possible for the client to verify the identity of the server.
Optionally, the client can also use a public/private key pair of its own to log into the server (public/private key authentication).
In Rebex File Server, public keys are represented by SshPublicKey object and private keys by SshPrivateKey object. SshPrivateKey supports
several private key formats: PKCS #8, OpenSSH/OpenSSL and PuTTY .ppk.
SshPrivateKey object can generate private/public key pairs.
// load a private key (works for all formats)
var serverKey = new SshPrivateKey("server_key.ppk", "key_password");
// save a private key (in the specified format)
serverKey.Save("server_key.pri", "key_password", SshPrivateKeyFormat.OpenSsh);
// use the key as server private key
server.Keys.Add(serverKey);
' load a private key (works for all formats)
Dim serverKey = New SshPrivateKey("server_key.ppk", "key_password")
' save a private key (in the specified format)
serverKey.Save("server_key.pri", "key_password", SshPrivateKeyFormat.OpenSsh)
' use the key as server private key
server.Keys.Add(serverKey)
PKCS #8 keys
RFC 5208 (PKCS #8) defines a private key format informally known as PKCS #8 key format.
It supports several encryption algorithms (3DES is used by default). To save keys using this format, specify SshPrivateKeyFormat.Pkcs8 when calling SshPrivateKey.Save.
Sample of encrypted private key in Base64-encoded PKCS #8 format:
-----BEGIN ENCRYPTED PRIVATE KEY----- MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI5yNCu9T5SnsCAggA MBQGCCqGSIb3DQMHBAhJISTgOAxtYwSCAWDXK/a1lxHIbRZHud1tfRMR4ROqkmr4 kVGAnfqTyGptZUt3ZtBgrYlFAaZ1z0wxnhmhn3KIbqebI4w0cIL/3tmQ6eBD1Ad1 nSEjUxZCuzTkimXQ88wZLzIS9KHc8GhINiUu5rKWbyvWA13Ykc0w65Ot5MSw3cQc w1LEDJjTculyDcRQgiRfKH5376qTzukileeTrNebNq+wbhY1kEPAHojercB7d10E +QcbjJX1Tb1Zangom1qH9t/pepmV0Hn4EMzDs6DS2SWTffTddTY4dQzvksmLkP+J i8hkFIZwUkWpT9/k7MeklgtTiy0lR/Jj9CxAIQVxP8alLWbIqwCNRApleSmqtitt Z+NdsuNeTm3iUaPGYSw237tjLyVE6pr0EJqLv7VUClvJvBnH2qhQEtWYB9gvE1dS BioGu40pXVfjiLqhEKVVVEoHpI32oMkojhCGJs8Oow4bAxkzQFCtuWB1 -----END ENCRYPTED PRIVATE KEY-----
Sample of unencrypted private key in Base64-encoded PKCS #8 format:
-----BEGIN PRIVATE KEY----- MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEA0SC5BIYpanOv6wSm dHVVMRa+6iw/0aJpT9/LKcZ0XYQ43P9Vwn8c46MDvFJ+Uy41FwbxT+QpXBoLlp8D sJY/dQIDAQABAkAesoL2GwtxSNIF2YTli2OZ9RDJJv2nNAPpaZxU4YCrST1AXGPB tFm0LjYDDlGJ448syKRpdypAyCR2LidwrVRxAiEA+YU5Zv7bOwODCsmtQtIfBfhu 6SMBGMDijK7OYfTtjQsCIQDWjvly6b6doVMdNjqqTsnA8J1ShjSb8bFXkMels941 fwIhAL4Rr7I3PMRtXmrfSa325U7k+Yd59KHofCpyFiAkNLgVAiB8JdR+wnOSQAOY loVRgC9LXa6aTp9oUGxeD58F6VK9PwIhAIDhSxkrIatXw+dxelt8DY0bEdDbYzky r9nicR5wDy2W -----END PRIVATE KEY-----
PuTTY .ppk keys
This key format is used by PuTTY SSH client and utilities and by many PuTTY-derived third-party applications
such as WinSCP or FileZilla Client. To save keys using this format, specify SshPrivateKeyFormat.Putty (for PPK v2) or SshPrivateKeyFormat.PPK3.
Sample of private key in PPKv2 format:
PuTTY-User-Key-File-2: ssh-rsa Encryption: aes256-cbc Comment: ssh-rsa-key-20130321 Public-Lines: 4 AAAAB3NzaC1yc2EAAAADAQABAAAAgQCdcXVZbOo81pToHiqMQgeosK80OXd8uxmC 514Mbp3VHL7eUshv9DlZ/Kc6vCpbkPLnkezLzy4QF9wQCiCem3+KFNbvgQ32R1vd ztguAIqrzzpoFjq2CPlyy7EuwmbI6k0xvcfAeU29MgnPk9/mkFFhW5084+9dwhz1 7BluYdJIEQ== Private-Lines: 8 FyXPkB7XlUE2y9WP7wGqmSwMo5RUdoqRbJGkHzMrpMlOOw5KA8QaxiOGixcDYuH4 8gTO4d8grFHcbRgZ7aJUycTdQxrPm8cey1EPUqLP9u3aCZYAqIMhUs5hsq7ujsq9 sK+jfTfY5N4ukYP2DumBreRPgKAE4W+gh/j//pnlJGJDEn32SOaRkiLoy1DB3VZ8 Nv8BPEAKV5ILKwef66KkN9FXPmEz3XQljEDcLNmzUTYypBQZqlYKze6V2cbZRZgi 7IYFV6ZGX8PMFnpSzwzoYfWXp9KQk1kmSqZNqBZ8IRt0KSSBAu5arKuZAI/MFQPU dwXyuZGt+4sP7pkE/1FuaMb8RENEyNcw/9mPKaJEcZuhtSqcwwZrXAULvca6BpdT hQwLIkovPa19ZA+miqfZvjo6UUnQyEfMe4biCesl11c/PWGf4BcgbVogQ+oXu7Gh iF1IoAoF/wqj0fiWX152wg== Private-MAC: bf45cca7382e573717004e328c08a9ac49f3ecf2
OpenSSH/OpenSSL (SSLeay) keys
SSLeay key format is used by OpenSSH and OpenSSL suites for storing
encrypted RSA and DSA keys.
To save keys using this format, specify SshPrivateKeyFormat.OpenSsh when calling SshPrivateKey.Save.
A sample of a private key in OpenSSH format:
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,393C44619C5B62FB g7l6jpFKUWqiU+7wvS+CRCpYygAchVIJTHmR9mTQwxQD6XUMMBfmLO+K6EgBGOt6 HxqTxQsAIAYtHQD370qQVC9aKF4Du2TkMiAlAiET6lyw7yEZeipkY46lJm74SvFJ xo3dLERKJBcDfNDoBJK/zjJN9I2zfUT2DgPodJwzWCfnk4g+/wWD6wNOSGM57XjR POQi4kJWI8zxX6v2REhybrfWwFxFaTpxMausotKa9R0hC+169DXGjnfXMPg6va6d MUVPHKhoNzUInRWA1FPF+Vt9z5X2jQMGf4AJN7W65QE7Q0Boao+aOERKDVTzP1Ff tRL6X0+BgXMjetqKGP0tJydiAVuP6vXEy1n8YrehUJSqNHJXT23o6kry/s7tMqzo ke96suSNyQKmPPjFq4MKe+v+/9mQzA4UUcVWgCi2dqZxPhNsAzBXTyIrnFcPykOY QPmdLMjpxeavbj8F5qZ8pREqDw+WpL8onI64udLFL3kjN5tCC9l3wHKDUJd6Q9y9 5gTKBnVcCRNvlKuLXbb7O5Z1hYKhpdqVJv8pLAhg2/BtTthseV8MjMnLEnbW6nSP SPLlev76vk/QK6PIR9hQrJGrzXJDvcYEpXJ2YBcgvEIbKR/eFAsPeM4Gin00M6Rj cDSO6p2ymxpiZ4AdDvgjkTkAx7ZXkxwrr7rRTOgyZZvuY/CpJbW4gs9a+zej5U77 RtWIHj+XZWvTQDPX5VcqDtE/C/bcsM9OQB019rkEcgDjKDtu9uWfDscSCxzMwfCi xHrpJwudVCF3M6WAvfuB0SLc6UCBALHbln2SksaC+7teUwJP9XD8hg== -----END RSA PRIVATE KEY-----
New OpenSSH keys
New OpenSSH format is used by OpenSSH for storing encrypted or unencrypted ECDSA and Ed25519 keys,
although it supports other key algorithms as well.
To save keys using this format, specify SshPrivateKeyFormat.NewOpenSsh when calling SshPrivateKey.Save.
A sample of a private key in the new OpenSSH format:
-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABAxBix87d JvVrEotmWsbAZwAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIPKKmhHgVw5SM8IH uo2XalsMHXvDwBxA7vL+TG/CACK9AAAAkNWU8rq/ToxIgS2BXVJNJI8SI8qHehGmUGEmMI A+w+bpKwhfWj/Z24DHXrtdPpeTbUT7KHODlBu+StJpN1vtW5kNSuMpE9fL+0GEIasIDsEY 9xD1sLtGAy0pMR6yzB3EW2OEZE8NoTCKJ0Xq18km8Uo1KG8naT2DeSEDzuHSP6NQWkJx5k BmP6jMW98HAsSIQA== -----END OPENSSH PRIVATE KEY-----
Public keys
Each SshPrivateKey object contains a corresponding public key as well.
It can be saved using the PrivateKey.SavePublicKey method in one of the following formats:
SshPublicKeyFormat.Ssh2Raw- raw (binary) SSH2 public key format.SshPublicKeyFormat.Ssh2Base64- base64-encoded SSH2 public key format.
A sample of a public key in SSH2 base64-encoded format:
---- BEGIN SSH2 PUBLIC KEY ---- Comment: "Saved by Rebex SSH" AAAAB3NzaC1yc2EAAAADAQABAAAAgQCOL8eACGWoXm6kSDWiN5mfasdXyaNzMSzi OZUbybHSPhMMrqYvtaCn2wI5GQUE6XIV4wwRPbV6OtyGcXyU/gJ6I62ugWU2s6yW 2UsiolDkKHnildC98Hli94xfSVQgavVy4/ECCdHJIn4+qTjLkkMzkvr67BjpVwbU TjjQHipRkQ== ---- END SSH2 PUBLIC KEY ----
SSH key generation
Pairs of private and public key can be generated easily using the SshPrivateKey class:
// generate a 1024bit RSA key pair var privateKey = SshPrivateKey.Generate(SshHostKeyAlgorithm.RSA, 1024); // save the private key in Base64-encoded PKCS #8 format privateKey.Save(@"C:\MyData\key_rsa.pem", "key_password", SshPrivateKeyFormat.Pkcs8); // save the public key in Base64-encoded 'SSH2 PUBLIC KEY' format privateKey.SavePublicKey(@"C:\MyData\key_rsa.pub", SshPublicKeyFormat.Ssh2Base64);
' generate a 1024bit RSA key pair
Dim privateKey = SshPrivateKey.Generate(SshHostKeyAlgorithm.RSA, 1024)
' save the private key in Base64-encoded PKCS #8 format
privateKey.Save("C:\MyData\key_rsa.pem", "key_password", SshPrivateKeyFormat.Pkcs8)
' save the public key in Base64-encoded 'SSH2 PUBLIC KEY' format
privateKey.SavePublicKey("C:\MyData\key_rsa.pub", SshPublicKeyFormat.Ssh2Base64)
Conversion between formats
SshPrivateKey object can be used to convert one private key format to another:
// load a private key in any format (PKCS #8 or OpenSSH, for example) var privateKey = new SshPrivateKey(@"C:\MyData\key_pkcs8.pem", "key_password"); // save the private key in PuTTY .ppk format privateKey.Save(@"C:\MyData\my_key.ppk", "key_password", SshPrivateKeyFormat.Putty);
' load a private key in any format (PKCS #8 or OpenSSH, for example)
Dim privateKey = New SshPrivateKey("C:\MyData\key_pkcs8.pem", "key_password")
' save the private key in PuTTY .ppk format
privateKey.Save("C:\MyData\my_key.ppk", "key_password", SshPrivateKeyFormat.Putty)
Certificate-based private keys
X.509 certificates can be used with SSH as well. Unfortunately, most third-party SSH clients and servers don't support RFC 6187 which specifies the relevant algorithms.
// load an X.509 certificate from a PFX file var cert = Rebex.Security.Certificates.Certificate.LoadPfx(certPath, password); // create an SshPrivateKey from the certificate SshPrivateKey privateKey = new SshPrivateKey(cert);
' load an X.509 certificate from a PFX file Dim cert = Rebex.Security.Certificates.Certificate.LoadPfx(certPath, password) ' create an SshPrivateKey from the certificate Dim privateKey As New SshPrivateKey(cert)
AsymmetricAlgorithm-based private keys
If you can only access your private key using .NET's RSACryptoServiceProvider, RSACng
DSACryptoServiceProvider or ECDsa objects,
you can pass these to SshPrivateKey constructor to make them usable for authentication:
// create and initialize a .NET CSP object var rsa = new RSACryptoServiceProvider(); rsa.ImportParameters(parameters); // create a private key from the CSP object var privateKey = new SshPrivateKey(rsa);
' create and initialize a .NET CSP object Dim rsa As New RSACryptoServiceProvider() rsa.ImportParameters(parameters) ' create a private key rom the CSP object Dim privateKey As New SshPrivateKey(rsa)
This technique is useful for accessing and utilizing non-exportable private keys stored in Windows private key stores or on SmartCards.
Using keys on smart cards
Keys on SmartCards are usually accessible using .NET's RSACryptoServiceProvider, RSACng
DSACryptoServiceProvider or ECDsa objects.
To utilize them for SSH authentication, use the approach described in the previous section.
Back to feature list...