pankajkoti commented on issue #31300: URL: https://github.com/apache/airflow/issues/31300#issuecomment-1549845312
> > Was the public key of the key pair uploaded on the SFTP server? > > Do you mean aside from adding the `"host_key"` value in the `Extras` field? No. I was under the impression from the Documentation that passing the public key in the `"host_key"` value served for verification. `host_key` is different form the private-public key pair that you generate. `host_key` is the one for the SFTP server that you want to connect to. Specifying `host_key` ensures that there are no Man In The Middle(MITM) Attacks. However, since you're specifying `no_host_key_check=True`, providing `host_key` is not required although it is susceptible to MITM attacks. Please find some theory below for public-private key pair authentication as I believe you're missing to add the public key on the SFTP server. SSH authentication using public-key cryptography involves a pair of cryptographic keys: a private key and a public key. Here's how it works: Key Generation: The user generates a key pair consisting of a private key and a corresponding public key. The private key is kept securely on the user's local machine, while the public key can be shared freely. Public Key Distribution: The user provides their public key to the SSH server administrator or places it in the authorized_keys file on the server. The server stores the user's public key for authentication purposes. Authentication Process: 1. Client Initiation: The client (user) initiates an SSH connection to the server. 2. Server Challenge: The server responds to the client's connection request by sending a challenge back to the client. 3. Key Exchange: The client signs the challenge using its private key and sends the signed challenge back to the server. 4. Server Verification: The server receives the signed challenge and uses the stored public key to verify the signature. If the signature is valid, the server authenticates the client. 5. Authentication Result: If the server successfully verifies the client's signature, the client is authenticated, and the SSH connection is established. The subsequent communication between the client and the server is encrypted using session keys derived from the authentication process. The security of this authentication method relies on the fact that the private key is kept secret and cannot be derived from the corresponding public key. The server trusts that if someone possesses the private key and can sign the challenge correctly, they must be the legitimate user who owns the private key. By using public-key authentication, SSH offers a more secure alternative to password-based authentication, as it eliminates the need to transmit and store passwords on the server. how to store public key? In an SFTP (SSH File Transfer Protocol) server, the public key needs to be stored in the user's authorized keys file. The authorized keys file is typically located in the user's home directory on the server. The specific location of the authorized keys file may vary depending on the SFTP server software and configuration. However, a common location is `~/.ssh/authorized_keys`. Here's an overview of the steps to store the public key on the SFTP server: 1. Generate the key pair: Generate the public-private key pair on the client machine using a tool like `ssh-keygen`. This will create the public key file (`id_rsa.pub`) and the private key file (`id_rsa`) by default. 2. Connect to the SFTP server: Connect to the SFTP server using your SFTP client (such as `sftp` command or a graphical SFTP client). 3. Create the `.ssh` directory (if it doesn't exist): In the SFTP client, navigate to your home directory on the server and create a `.ssh` directory if it doesn't already exist. Use the `mkdir .ssh` command. 4. Copy the public key to the server: Transfer the public key file (`id_rsa.pub`) from your local machine to the server using the SFTP client's `put` or similar command. Place it in the `.ssh` directory on the server. 5. Set permissions: On the server, ensure that the `.ssh` directory has the correct permissions. Use the command `chmod 700 ~/.ssh` to set the directory permissions to `700`. Also, make sure the authorized keys file has the correct permissions by running `chmod 600 ~/.ssh/authorized_keys`. 6. Append the public key to the authorized keys file: On the server, append the contents of the public key file (`id_rsa.pub`) to the authorized keys file (`~/.ssh/authorized_keys`). You can use the `cat` command to concatenate the files, like `cat id_rsa.pub >> ~/.ssh/authorized_keys`. 7. Save and exit: Save the changes to the authorized keys file and exit the SFTP client. By following these steps, you can store the public key in the authorized keys file on the SFTP server, allowing the server to authenticate the user using public-key authentication. And with this, when you specify your private_key in the Airflow connection, the connection should be successful. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
