I'm seeing some statements which are causing me to ask "What is the architecture and method of encryption used by SSH/SFTP?" http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html points out that sftp and ftps are very different and refers to http://www.enterprisedt.com/products/edtftpjssl/faq-answers.html#2 for more details. The latter site states

'SFTP uses keys rather than certificates. This means that it can't take advantage of the "chains of trust" paradigm facilitated through Certificate Authorities. This paradigm makes it possible for two entities to establish a trust relationship without directly exchanging security information, which is important for some applications. FTPS uses certificates and therefore can take advantage of this paradigm. SFTP clients must install keys on the server.'

They obviously have a bias in favor of ftps. I'm not concerned with trying to decide whether one is superior to the other, what I'm trying to understand is the technology.

If sftp uses keys instead of certificates, what kind of keys are used and why can't they take advantage of chains of trust? If this statement isn't true please explain what's wrong with it.

The other question concerns "SFTP clients must install keys on the server". (Again, if this is true) What are they talking about? I've done some reading in the SSH RFCs and, as best as I can tell, the client is the one accepting and verifying the server key (I'm not so sure I have a firm grasp on all that the RFCs are saying). If this is true why are clients installing keys on the server?

Final question: Is there a document which has a high level explanation of what happens in ssh communication? Something like:

client does this
server does that
client next does this
server next does that

Thanks for any replies or information.

Relevant Pages

  • Re: [Full-Disclosure] SSH vs. TLS
    ... > frowned upon by network ops and security. ... > - There must be a secure means by which all server keys are distributed to ... > appropriate ssh clients. ... > servers from using expired keys. ...
  • OpenSSH_3.5p1 server, PC clients cannot connect
    ... I have setup an OpenSSH_3.5p1 ssh/sftp server on my ... I can SFTP to it using my OpenSSH_3.5p1 sftp client. ... I have several clients that cannot connect. ... # Kerberos TGT Passing only works with the AFS kaserver ...
  • RE: OpenSSH_3.5p1 server, PC clients cannot connect
    ... server in the known_hosts file for each of the clients. ... are you able to sftp to the server from a UNIX/Linux host and run ... OpenSSH_3.5p1 server, PC clients cannot connect ... # Kerberos TGT Passing only works with the AFS kaserver ...
  • Re: What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ?
    ... provided an ftp server offers all these types: ... SSL/TLS requires that you install a digital cert which your clients ... The server generates its own keys, ...
  • Re: SSL processor intensive?
    ... Windows box to a Linux VMWare host on my LAN, ... The clients I used were sftp from the Cygwin distribution, ... The sftp server is whatever comes in the box with SuSE 8.2. ...