HostKey for SFTP Transfer Family

0

Hello,

I am migrating a SFTP Server from Public Endpoint to VPC Endpoint, and i would like to preserve the same HostKey in production so customers do not have to re-accept it.

But i am struggling with the concepts:

When looking into the existing SFTP Server at Console > Additional details > Server host key

SHA256:Cv5TEDW8P3L+uqpAKtpzSWIfGcHwdrnaDyJd0wOGNx5= (example)

I believe this is a PUBLIC host key, and the same that we accept as a client to the SFTP Server into the known hosts .

When Editing > Server host key, it asks for a RSA PRIVATE key. (I tried to set the previous host key example)

Where can i get this RSA private Key from our current running AWS SFTP server? (I tried to ssh but it does not allow)

Would after creation of new AWS SFTP server be able to setup the host key with this command?

aws transfer update-server --server-id "your-server-id" --host-key file://my-host-key

my-host-key is the RSA Private Key?

Thanks.

  • By reading the documentation it seems the Private Key is only for moving On-Premises SFTP servers into AWS. I would like to use a similar concept for an existing AWS SFTP Server. But it seems i only have access to the Public Host Key.

asked 2 years ago1723 views
1 Answer
0
Accepted Answer

Hello dotmindlabs,

At this time, there isn't a way to fetch the Private-Key of the HostKey associated to the server irrespective of whether it was a service generated HostKey or a customer generated HostKey. For multiple servers to use the same Private-Key, you would have to generate your own HostKey and utilize the same for your server configurations.

To your concern, SHA256:Cv5TEDW8P3L+uqpAKtpzSWIfGcHwdrnaDyJd0wOGNx5= is a SHA256 fingerprint and cannot be used as a Private-Key. Private-Key supported by AWS Transfer Family servers as HostKey should be of format -

-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAjhbPcClrabcdefghiabcdefghiabcdeHEAYGmwJtF8+EkQJp
...
...
...
...
dFQqcvEF5tombtabcdefghiabcdefghiabcdeOmJ6SfZBudDmW4=
-----END RSA PRIVATE KEY-----

Q: Where can i get this RSA private Key from our current running AWS SFTP server? (I tried to ssh but it does not allow) A: It isn't possible to fetch RSA Private-Key from the service. Also, SSH to the server is not supported.

Q: Would after creation of new AWS SFTP server be able to setup the host key with this command? A: Yes, the command you specified is correct and can be used to update the HostKey of the Transfer server if you want to specify your own HostKey.

Also, adding to your comment - It isn't true that Private-keys are only for migrating On-Premise environment to AWS Transfer Family. As On-Premise environments use their custom Private-keys for their servers, the guide mentions that it is possible to port them to AWS Transfer Family. In any case, the point being expressed is that customers can associate their own HostKey to their Transfer Family servers irrespective of whether they are migrating or not.

References: 1 - https://docs.aws.amazon.com/cli/latest/reference/transfer/update-server.html

Let me know if you have questions.

AWS
EXPERT
answered 2 years ago
profile picture
EXPERT
reviewed 2 days ago
  • Hi thanks! Ended up creating a new SFTP Server. Setting up the same private key, this way obtaining the same fingerprint.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions