Finding the host verification key for a remote SFTP server
When exporting data to a partner's SFTP server, you can use ssh-keyscan to find the host verification key if you cannot obtain it from the owner/provider of the SFTP service.
Whenever possible, we recommend that you obtain the host verification key directly from the owner or provider of the SFTP service. As well as being the most secure approach, this also confirms that you have correctly configured the server's details, and are communicating with the intended party.
If you cannot obtain the host verification key directly, you can find it using the alternative technique described below. If you have to do this, it is essential that you double-check the hostname or IP address of the SFTP server. If you accidentally use the wrong hostname or IP address, you could send data to an unintended party - potentially including an attacker who has deliberately created a server with a confusingly similar name.
About host verification keys
In order to export your data from the Platform to a partner's SFTP server, you must provide a username, password and some form of host verification key:
- OpenSSH authorized_keys - "Authorized Keys"
- OpenSSH known_hosts - "Known Hosts"
- PEM - "Public Key PEM"
These keys allow InfoSum to confirm the identity of the target SFTP server as a security precaution.
How to find the host verification key
You can retrieve the OpenSSH known_hosts key from a remote SFTP server using `ssh-keyscan`.
Note: This technique will only work when the SFTP server has not had the Bunker’s IP address whitelisted as the specific entity that will be pushing data.
The full command might look something like this:
- ssh-keyscan = function
- ftp.example.com = name of the SFTP server (amend as necessary)
If open, the server will respond with a public key that can then be used under the OpenSSH known_hosts Host Verification Key section when pushing results to an SFTP server.