Why do I always get prompted by SSH SFTP clients to trust the server key?

Grant -

You will always have to trust a connection to a server when connecting over SSH SFTP for the first time.  This is a major difference between SSH and SSL.


Cerberus FTP Server uses a single SSL key pair (a private key and a public SSL certificate) for all SSL and SSH connections.


The server SSL certificate contains a reference to the issuer, the cryptographic public key of the owner of the certificate, the dates of validity of the certificate, and a special signature from a trusted third party (the issuing CA) to ensure the certificate hasn't been tampered with.  This information allows an SSL client (like a web browser using HTTPS, or an FTPS client) to verify that the certificate is valid and trusted.


An SSH public key is just a cryptographic key.  It's a subset of the data contained in an SSL certificate.  An SSH public key is a very simple data structure, without any of the metadata and trust information present in an SSL certificate.  An SSH client only receives the public key from the server, and has no way to know if it should trust the key.  The SSH security model requires trusting the key the first time the client connects.


Have more questions? Submit a request