IBM Support

Secure File Transfer Protocol (SFTP) - Using Multiple Keys for Different Connections

Troubleshooting


Problem

This document describes how sftp can be configured to use additional key files.

Resolving The Problem

Some clients may have a need to connect to multiple servers using SFTP. Rather than using a standard key pair for each of the connections, it may be required to use a separate key for each server, resulting in multiple keys. To create multiple keys, use the following information.

When performing the ssh-keygen command, each additional key (rsa or dsa) will have a different name. To use this new key, administrators need to create a new IdentityFile entry in the ssh_config file. The path to the ssh_config object is as follows:

/QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh_version/etc/ssh_config

where openssh_version should be replaced with the latest OpenSSH implementation running on the system. The OpenSSH implementations installed on each System i release is listed below:

V5R4 = openssh-3.5p1

V6R1 = openssh-3.8.1p1

V7R1 = openssh-4.7p1

V7R2 = openssh-5.8p1

Note in this configuration the following default names:

IdentityFile ~/.ssh/identity
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_dsa

In the new setup for additional keys, let us use an example key name of vendor_key instead of the default value id_dsa or id_rsa. In the
ssh_config file, we would need to add a new IdentifyFile entry, which would look like this:

IdentityFile ~/.ssh/identity
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_dsa
IdentityFile ~/.ssh/vendor_key

This additional configuration step allows the SFTP client to look through the configuration file until it finds the matching key. As a client needs more keys for various vendors, the ssh_config file can be edited with the corresponding key name.

Note: There is an alternative to modifying the ssh_config file. Clients have the ability to point to specific private keys on sftp connections. The combination of the option flag (-o) and IdentityFile keyword can be used to point to private
located anywhere in the IFS. Here's an example of how sftp can point to a private key file named 'vendor_key' when connecting to a remote host:

sftp -oIdentityFile=/home/user1/.ssh/vendor_key user@host

Follow IBM i Tech Note '8N1012710', Configuring the System i SSH, SFTP, and SCP Clients to Use Public-Key Authentication for more details on the configuration of SFTP:

http://www-01.ibm.com/support/docview.wss?uid=nas8N1012710

[{"Product":{"code":"SWG60","label":"IBM i"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Communications-TCP","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Historical Number

576347158

Document Information

More support for:
IBM i

Software version:
Version Independent

Operating system(s):
IBM i

Document number:
686003

Modified date:
18 December 2019

UID

nas8N1011948

Manage My Notification Subscriptions

Page Feedback