SFTP and FTPS
- From: Leroy Tennison <leroy_tennison@xxxxxxxxxxx>
- Date: Fri, 29 Dec 2006 00:45:53 -0600
I'm seeing some statements which are causing me to ask "What is the architecture and method of encryption used by SSH/SFTP?" http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html points out that sftp and ftps are very different and refers to http://www.enterprisedt.com/products/edtftpjssl/faq-answers.html#2 for more details. The latter site states
'SFTP uses keys rather than certificates. This means that it can't take advantage of the "chains of trust" paradigm facilitated through Certificate Authorities. This paradigm makes it possible for two entities to establish a trust relationship without directly exchanging security information, which is important for some applications. FTPS uses certificates and therefore can take advantage of this paradigm. SFTP clients must install keys on the server.'
They obviously have a bias in favor of ftps. I'm not concerned with trying to decide whether one is superior to the other, what I'm trying to understand is the technology.
If sftp uses keys instead of certificates, what kind of keys are used and why can't they take advantage of chains of trust? If this statement isn't true please explain what's wrong with it.
The other question concerns "SFTP clients must install keys on the server". (Again, if this is true) What are they talking about? I've done some reading in the SSH RFCs and, as best as I can tell, the client is the one accepting and verifying the server key (I'm not so sure I have a firm grasp on all that the RFCs are saying). If this is true why are clients installing keys on the server?
Final question: Is there a document which has a high level explanation of what happens in ssh communication? Something like:
client does this
server does that
client next does this
server next does that
Thanks for any replies or information.
- Prev by Date: Re: Problems using gssapi authentication from FreeBSD to Linux machines
- Next by Date: Re: FW: Help with SSH from Server 2003 to Linux
- Previous by thread: verify RSA 2048