More .NET libraries
-
Rebex FTP/SSL
.NET FTP client
-
Rebex SSH Shell
.NET SSH Shell
-
Rebex Total Pack
All Rebex .NET libraries together
Back to feature list...
Private keys
On this page:
Loading and saving SSH keys
When an SFTP/SSH connection is established, the server identity is verified by checking the server's public key. Optionally, the client can even use a public/private key pair to log into the server (public/private key authentication).
In Rebex SFTP, public keys are represented by SshPublicKey
object and private keys by SshPrivateKey
object. SshPrivateKey
supports
several private key formats: PKCS #8, OpenSSH/OpenSSL and PuTTY .ppk.
In addition to loading and saving, SshPrivateKey
object can generate private/public key pairs.
// loading a private key (works for all formats) var privateKey = new SshPrivateKey("my_key.ppk", "key_password"); // saving a private key (in the specified format) privateKey.Save("my_key.pri", "key_password", SshPrivateKeyFormat.OpenSsh); // authenticating with a private key sftp.Login(username, privateKey);
' loading a private key (works for all formats) Dim privateKey As New SshPrivateKey("my_key.ppk", "key_password") ' saving a private key (in the specified format) privateKey.Save("mykey.pri", "key_password", SshPrivateKeyFormat.OpenSsh) ' authenticating with a private key sftp.Login(username, privateKey)
PKCS #8 keys
RFC 5208 (PKCS #8) defines a private key format informally known as PKCS #8 key format.
It supports several encryption algorithms (3DES is used by default). To save keys using this format, specify SshPrivateKeyFormat.Pkcs8
when calling SshPrivateKey.Save
.
Sample of encrypted private key in Base64-encoded PKCS #8 format:
-----BEGIN ENCRYPTED PRIVATE KEY----- MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI5yNCu9T5SnsCAggA MBQGCCqGSIb3DQMHBAhJISTgOAxtYwSCAWDXK/a1lxHIbRZHud1tfRMR4ROqkmr4 kVGAnfqTyGptZUt3ZtBgrYlFAaZ1z0wxnhmhn3KIbqebI4w0cIL/3tmQ6eBD1Ad1 nSEjUxZCuzTkimXQ88wZLzIS9KHc8GhINiUu5rKWbyvWA13Ykc0w65Ot5MSw3cQc w1LEDJjTculyDcRQgiRfKH5376qTzukileeTrNebNq+wbhY1kEPAHojercB7d10E +QcbjJX1Tb1Zangom1qH9t/pepmV0Hn4EMzDs6DS2SWTffTddTY4dQzvksmLkP+J i8hkFIZwUkWpT9/k7MeklgtTiy0lR/Jj9CxAIQVxP8alLWbIqwCNRApleSmqtitt Z+NdsuNeTm3iUaPGYSw237tjLyVE6pr0EJqLv7VUClvJvBnH2qhQEtWYB9gvE1dS BioGu40pXVfjiLqhEKVVVEoHpI32oMkojhCGJs8Oow4bAxkzQFCtuWB1 -----END ENCRYPTED PRIVATE KEY-----
Sample of unencrypted private key in Base64-encoded PKCS #8 format:
-----BEGIN PRIVATE KEY----- MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEA0SC5BIYpanOv6wSm dHVVMRa+6iw/0aJpT9/LKcZ0XYQ43P9Vwn8c46MDvFJ+Uy41FwbxT+QpXBoLlp8D sJY/dQIDAQABAkAesoL2GwtxSNIF2YTli2OZ9RDJJv2nNAPpaZxU4YCrST1AXGPB tFm0LjYDDlGJ448syKRpdypAyCR2LidwrVRxAiEA+YU5Zv7bOwODCsmtQtIfBfhu 6SMBGMDijK7OYfTtjQsCIQDWjvly6b6doVMdNjqqTsnA8J1ShjSb8bFXkMels941 fwIhAL4Rr7I3PMRtXmrfSa325U7k+Yd59KHofCpyFiAkNLgVAiB8JdR+wnOSQAOY loVRgC9LXa6aTp9oUGxeD58F6VK9PwIhAIDhSxkrIatXw+dxelt8DY0bEdDbYzky r9nicR5wDy2W -----END PRIVATE KEY-----
PuTTY .ppk keys
This key format is used by PuTTY SSH client and utilities and by many PuTTY-derived third-party applications
such as WinSCP or FileZilla Client. To save keys using this format, specify SshPrivateKeyFormat.Putty
(for PPK v2) or SshPrivateKeyFormat.PPK3
.
Sample of private key in PPKv2 format:
PuTTY-User-Key-File-2: ssh-rsa Encryption: aes256-cbc Comment: ssh-rsa-key-20130321 Public-Lines: 4 AAAAB3NzaC1yc2EAAAADAQABAAAAgQCdcXVZbOo81pToHiqMQgeosK80OXd8uxmC 514Mbp3VHL7eUshv9DlZ/Kc6vCpbkPLnkezLzy4QF9wQCiCem3+KFNbvgQ32R1vd ztguAIqrzzpoFjq2CPlyy7EuwmbI6k0xvcfAeU29MgnPk9/mkFFhW5084+9dwhz1 7BluYdJIEQ== Private-Lines: 8 FyXPkB7XlUE2y9WP7wGqmSwMo5RUdoqRbJGkHzMrpMlOOw5KA8QaxiOGixcDYuH4 8gTO4d8grFHcbRgZ7aJUycTdQxrPm8cey1EPUqLP9u3aCZYAqIMhUs5hsq7ujsq9 sK+jfTfY5N4ukYP2DumBreRPgKAE4W+gh/j//pnlJGJDEn32SOaRkiLoy1DB3VZ8 Nv8BPEAKV5ILKwef66KkN9FXPmEz3XQljEDcLNmzUTYypBQZqlYKze6V2cbZRZgi 7IYFV6ZGX8PMFnpSzwzoYfWXp9KQk1kmSqZNqBZ8IRt0KSSBAu5arKuZAI/MFQPU dwXyuZGt+4sP7pkE/1FuaMb8RENEyNcw/9mPKaJEcZuhtSqcwwZrXAULvca6BpdT hQwLIkovPa19ZA+miqfZvjo6UUnQyEfMe4biCesl11c/PWGf4BcgbVogQ+oXu7Gh iF1IoAoF/wqj0fiWX152wg== Private-MAC: bf45cca7382e573717004e328c08a9ac49f3ecf2
OpenSSH/OpenSSL (SSLeay) keys
SSLeay key format is used by OpenSSH and OpenSSL suites for storing
encrypted RSA and DSA keys.
To save keys using this format, specify SshPrivateKeyFormat.OpenSsh
when calling SshPrivateKey.Save
.
A sample of a private key in OpenSSH format:
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,393C44619C5B62FB g7l6jpFKUWqiU+7wvS+CRCpYygAchVIJTHmR9mTQwxQD6XUMMBfmLO+K6EgBGOt6 HxqTxQsAIAYtHQD370qQVC9aKF4Du2TkMiAlAiET6lyw7yEZeipkY46lJm74SvFJ xo3dLERKJBcDfNDoBJK/zjJN9I2zfUT2DgPodJwzWCfnk4g+/wWD6wNOSGM57XjR POQi4kJWI8zxX6v2REhybrfWwFxFaTpxMausotKa9R0hC+169DXGjnfXMPg6va6d MUVPHKhoNzUInRWA1FPF+Vt9z5X2jQMGf4AJN7W65QE7Q0Boao+aOERKDVTzP1Ff tRL6X0+BgXMjetqKGP0tJydiAVuP6vXEy1n8YrehUJSqNHJXT23o6kry/s7tMqzo ke96suSNyQKmPPjFq4MKe+v+/9mQzA4UUcVWgCi2dqZxPhNsAzBXTyIrnFcPykOY QPmdLMjpxeavbj8F5qZ8pREqDw+WpL8onI64udLFL3kjN5tCC9l3wHKDUJd6Q9y9 5gTKBnVcCRNvlKuLXbb7O5Z1hYKhpdqVJv8pLAhg2/BtTthseV8MjMnLEnbW6nSP SPLlev76vk/QK6PIR9hQrJGrzXJDvcYEpXJ2YBcgvEIbKR/eFAsPeM4Gin00M6Rj cDSO6p2ymxpiZ4AdDvgjkTkAx7ZXkxwrr7rRTOgyZZvuY/CpJbW4gs9a+zej5U77 RtWIHj+XZWvTQDPX5VcqDtE/C/bcsM9OQB019rkEcgDjKDtu9uWfDscSCxzMwfCi xHrpJwudVCF3M6WAvfuB0SLc6UCBALHbln2SksaC+7teUwJP9XD8hg== -----END RSA PRIVATE KEY-----
New OpenSSH keys
New OpenSSH format is used by OpenSSH for storing encrypted or unencrypted ECDSA and Ed25519 keys,
although it supports other key algorithms as well.
To save keys using this format, specify SshPrivateKeyFormat.NewOpenSsh
when calling SshPrivateKey.Save
.
A sample of a private key in the new OpenSSH format:
-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABAxBix87d JvVrEotmWsbAZwAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIPKKmhHgVw5SM8IH uo2XalsMHXvDwBxA7vL+TG/CACK9AAAAkNWU8rq/ToxIgS2BXVJNJI8SI8qHehGmUGEmMI A+w+bpKwhfWj/Z24DHXrtdPpeTbUT7KHODlBu+StJpN1vtW5kNSuMpE9fL+0GEIasIDsEY 9xD1sLtGAy0pMR6yzB3EW2OEZE8NoTCKJ0Xq18km8Uo1KG8naT2DeSEDzuHSP6NQWkJx5k BmP6jMW98HAsSIQA== -----END OPENSSH PRIVATE KEY-----
Public keys
Each SshPrivateKey
object contains a corresponding public key as well.
It can be saved using the PrivateKey.SavePublicKey
method in one of the following formats:
SshPublicKeyFormat.Ssh2Raw
- raw (binary) SSH2 public key format.SshPublicKeyFormat.Ssh2Base64
- base64-encoded SSH2 public key format.
A sample of a public key in SSH2 base64-encoded format:
---- BEGIN SSH2 PUBLIC KEY ---- Comment: "Saved by Rebex SSH" AAAAB3NzaC1yc2EAAAADAQABAAAAgQCOL8eACGWoXm6kSDWiN5mfasdXyaNzMSzi OZUbybHSPhMMrqYvtaCn2wI5GQUE6XIV4wwRPbV6OtyGcXyU/gJ6I62ugWU2s6yW 2UsiolDkKHnildC98Hli94xfSVQgavVy4/ECCdHJIn4+qTjLkkMzkvr67BjpVwbU TjjQHipRkQ== ---- END SSH2 PUBLIC KEY ----
SSH key generation
Pairs of private and public key (to be used for public key authentication)
can be generated easily using the SshPrivateKey
class:
// generate a 1024bit RSA key pair var privateKey = SshPrivateKey.Generate(SshHostKeyAlgorithm.RSA, 1024); // save the private key in Base64-encoded PKCS #8 format privateKey.Save(@"C:\MyData\key_rsa.pem", "key_password", SshPrivateKeyFormat.Pkcs8); // save the public key in Base64-encoded 'SSH2 PUBLIC KEY' format privateKey.SavePublicKey(@"C:\MyData\key_rsa.pub", SshPublicKeyFormat.Ssh2Base64);
' generate a 1024bit RSA key pair Dim privateKey = SshPrivateKey.Generate(SshHostKeyAlgorithm.RSA, 1024) ' save the private key in Base64-encoded PKCS #8 format privateKey.Save("C:\MyData\key_rsa.pem", "key_password", SshPrivateKeyFormat.Pkcs8) ' save the public key in Base64-encoded 'SSH2 PUBLIC KEY' format privateKey.SavePublicKey("C:\MyData\key_rsa.pub", SshPublicKeyFormat.Ssh2Base64)
To use the generated private key to authenticate the client to a server, you have to associate the corresponding public key with the user account at the server.
For OpenSSH servers, simply add Base64-encoded public key as a single line of text to your account's ~/.ssh/authorized_keys
file.
For other servers, consult the server manual or ask its administrator.
Getting a public key in a format suitable for OpenSSH server:
// print the public key in OpenSSH format byte[] rawPublicKey = privateKey.GetPublicKey(); // modify "username@hostname" to match your server login and server's hostname Console.WriteLine("{0} username@hostname", Convert.ToBase64String(rawPublicKey));
' print the public key in OpenSSH format Dim rawPublicKey() = privateKey.GetPublicKey() ' modify "username@hostname" to match your server login and server's hostname Console.WriteLine("{0} username@hostname", Convert.ToBase64String(rawPublicKey))
Sample public key suitable for OpenSSH server:
AAAAB3NzaC1yc2EAAAADAQABAAAAgQCZ2qq/5TqXsRJscZrBVh+XkaYU22hl17K9nv0uqE/7VNh+dcHVjY7L/NrQMpA6jHpd5rQS/wIRqL7p+sJUyvpwz2nLiQB9emwa0zhWDXOJiM9pETcu8wqDeNrB5b7upEP4VvG/TZtP1qKtvsWfGukv/apYq61T0xS4m5sbgBsFaw== username@hostname
This is the line to be added to ~/.ssh/authorized_keys
file.
Conversion between formats
SshPrivateKey
object can be used to convert one private key format to another:
// load a private key in any format (PKCS #8 or OpenSSH, for example) var privateKey = new SshPrivateKey(@"C:\MyData\key_pkcs8.pem", "key_password"); // save the private key in PuTTY .ppk format privateKey.Save(@"C:\MyData\my_key.ppk", "key_password", SshPrivateKeyFormat.Putty);
' load a private key in any format (PKCS #8 or OpenSSH, for example) Dim privateKey = New SshPrivateKey("C:\MyData\key_pkcs8.pem", "key_password") ' save the private key in PuTTY .ppk format privateKey.Save("C:\MyData\my_key.ppk", "key_password", SshPrivateKeyFormat.Putty)
Certificate-based private keys
In addition to public key authentication, some SFTP servers (such as Rebex Buru SFTP Server, VanDyke VShell Server, Tectia SSH Server) support X.509 certificate authentication as well. See X.509 certificate authentication for more information.
AsymmetricAlgorithm-based private keys
If you can only access your private key using .NET's RSACryptoServiceProvider
, RSACng
DSACryptoServiceProvider
or ECDsa
objects,
you can pass these to SshPrivateKey
constructor to make them usable for user authentication:
// create and initialize a .NET CSP object var rsa = new RSACryptoServiceProvider(); rsa.ImportParameters(parameters); // create a private key from the CSP object var privateKey = new SshPrivateKey(rsa);
' create and initialize a .NET CSP object Dim rsa As New RSACryptoServiceProvider() rsa.ImportParameters(parameters) ' create a private key rom the CSP object Dim privateKey As New SshPrivateKey(rsa)
This technique is useful for accessing and utilizing non-exportable private keys stored in Windows private key stores or on SmartCards.
Using keys on smart cards
Keys on SmartCards are usually accessible using .NET's RSACryptoServiceProvider
, RSACng
DSACryptoServiceProvider
or ECDsa
objects.
To utilize them for SSH authentication, use the approach described in the previous section.
Back to feature list...