Using sftp with public key

[enboig]

Is there a way to use sftp without password and using public key?

[fphammerle]

Until public key auth is implemented: Does keepass2android currently check whether the SFTP server's host key changed? If not, passwords might be sent to the wrong host

[enboig]

If passwords end in wrong server, it shouldn't be a problem as long as they are encrypted. Am I wrong?

[crazycaveman]

@enboig Yes. Not only could your database wind up on a server owned by an attacker, they'll also have the password you use to log in to your personal server. This will enable them to log in and have access to all your files, if they want. SSH host keys ensure the server you're connecting to is the correct one and there's not a man-in-the-middle; to ignore the SSH host keys is a huge oversight, even if the file being transferred is encrypted.

[PhilippC]

I am planning the implementation of this feature. However, I am not sure how the workflow should look like. Suggestion:

• in the SFTP credentials dialog, instead of username/password fields show a combo box allow to choose between user/pass and private/public key.
• if combo box is user/pass, everything is as it is right now.
• if combo box is private/public key, user needs to load the private key.
  • Would you prefer to open this from a local file? Or rather paste the key data into a large text field? KP2A would then store that data in its preferences (unencrypted but inaccessible to other apps)
  • How should KP2A prompt for the passphrase? I think the best way is to popup a prompt when using the privatekey. The prompt should have a "remember passphrase" checkbox (again storing it unencrypted but inaccessible)?

Do you know other Android apps implementing something like this? What's their workflow?

[soerface]

Mercury-SSH does not allow importing private keys - instead, it just generates one, and only allows EXPORTING of the public key. I guess this has the following advantages:

• The private key will never be accessible by other apps, since you don't need to store it on the SD-Card, just keep it in your preferences
• I won't need to use a computer to generate one and copy it to the phone in a save way (I can't just mail it to myself, it's private)
• You won't need to implement any dialogs, the key is "just there"

Mercury-SSH can either export the public key to a file, or it can act like ssh-copy-id, using password authentication to append the key to the server's ~/.ssh/authorized_keys.

I can also think of a "share" button, using an intention to allow the user to send it via it's favourite app (mail client, messenger...)

You can take a look at Mercury-SSH source here: https://github.com/Skarafaz/mercury

Thank you very much for the efforts!

[enboig]

Don't forget some way to type/check SSH host key ;-)

[usuallymatt]

Hi there, not sure of this is the right place but I also wanted to add my request for this feature. Adding the key at the login stage from the sd card would be preferred.

[PhilippC]

@usuallymatt please switch to beta (https://play.google.com/apps/testing/keepass2android.keepass2android) to get this feature.

[usuallymatt]

Got it! Trying to figure it out. I use a private key for my SFTP server. This new screen looks like it's trying to save a public key.

[PhilippC]

KP2A tries to avoid that you have to transfer your private key to your device. Instead, it creates a key pair and exports the public key. Please add this key to your server config!

[mpw96]

@PhilippC I just joined the beta program and installed the pre version (I have the dropdown for selection of the auhentication mode). Now I'm trying to find the keypair that KP2A has created on my android device (OnePlus 5T, LineageOS 16). When does KP2A create the keypair? Where is it stored?

Aaaahhhh, now I got it, I don't need to know that. With this "export public key button" I can export the public key to e.g. Whatsapp (there I have a group where the only member is me...), access that with WhatsApp Web. Now I have it on my Laptop and can transfer it to the machine in the cloud. Awesome. It works perfectly!

T&R MP

[Saltani]

@PhilippC Thanks Philipp, for the update and the many new features. I have just configured an sftp-server with chroot jail and no password authentication to store the *.kdbx database. I did so to increase security so I really appreciate the new ssh-keypair feature. I works very well too. I emailed the public key from Keepass2Android to myself and pasted the key into ~/.ssh/authorized_keys on the server and it works nicely. If anyone wants to know how to configure an sftp-server with chroot jail on a Linux box, this is the guide I followed.

[soerface]

Just noticed the update and it works great, thank you very much, PhilippC!