Rebex File Server

SFTP, SCP and SSH server library for .NET

Download 30-day free trial Buy from $349
More .NET libraries

Back to feature list...

Private keys

Loading and saving SSH keys 

When an SSH connection is established, the server presents its public key to the client and proves ownership of the corresponding private key. This makes it possible for the client to verify the identity of the server.

Optionally, the client can also use a public/private key pair of its own to log into the server (public/private key authentication).

In Rebex File Server, public keys are represented by SshPublicKey object and private keys by SshPrivateKey object. SshPrivateKey supports several private key formats: PKCS #8, OpenSSH/OpenSSL and PuTTY .ppk.

In addition to loading and saving, SshPrivateKey object can generate private/public key pairs.
// load a private key (works for all formats)
var serverKey = new SshPrivateKey("server_key.ppk", "key_password");

// save a private key (in the specified format)
serverKey.Save("server_key.pri", "key_password", SshPrivateKeyFormat.OpenSsh);

// use the key as server private key
server.Keys.Add(serverKey);
' load a private key (works for all formats)
Dim serverKey = New SshPrivateKey("server_key.ppk", "key_password")

' save a private key (in the specified format)
serverKey.Save("server_key.pri", "key_password", SshPrivateKeyFormat.OpenSsh)

' use the key as server private key
server.Keys.Add(serverKey)

PKCS #8 keys 

RFC 5208 (PKCS #8) defines a private key format informally known as PKCS #8 key format. It supports several encryption algorithms (3DES is used by default). To save keys using this format, specify SshPrivateKeyFormat.Pkcs8 when calling SshPrivateKey.Save.

Sample of encrypted private key in Base64-encoded PKCS #8 format:

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI5yNCu9T5SnsCAggA
MBQGCCqGSIb3DQMHBAhJISTgOAxtYwSCAWDXK/a1lxHIbRZHud1tfRMR4ROqkmr4
kVGAnfqTyGptZUt3ZtBgrYlFAaZ1z0wxnhmhn3KIbqebI4w0cIL/3tmQ6eBD1Ad1
nSEjUxZCuzTkimXQ88wZLzIS9KHc8GhINiUu5rKWbyvWA13Ykc0w65Ot5MSw3cQc
w1LEDJjTculyDcRQgiRfKH5376qTzukileeTrNebNq+wbhY1kEPAHojercB7d10E
+QcbjJX1Tb1Zangom1qH9t/pepmV0Hn4EMzDs6DS2SWTffTddTY4dQzvksmLkP+J
i8hkFIZwUkWpT9/k7MeklgtTiy0lR/Jj9CxAIQVxP8alLWbIqwCNRApleSmqtitt
Z+NdsuNeTm3iUaPGYSw237tjLyVE6pr0EJqLv7VUClvJvBnH2qhQEtWYB9gvE1dS
BioGu40pXVfjiLqhEKVVVEoHpI32oMkojhCGJs8Oow4bAxkzQFCtuWB1
-----END ENCRYPTED PRIVATE KEY-----

Sample of unencrypted private key in Base64-encoded PKCS #8 format:

-----BEGIN PRIVATE KEY-----
MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEA0SC5BIYpanOv6wSm
dHVVMRa+6iw/0aJpT9/LKcZ0XYQ43P9Vwn8c46MDvFJ+Uy41FwbxT+QpXBoLlp8D
sJY/dQIDAQABAkAesoL2GwtxSNIF2YTli2OZ9RDJJv2nNAPpaZxU4YCrST1AXGPB
tFm0LjYDDlGJ448syKRpdypAyCR2LidwrVRxAiEA+YU5Zv7bOwODCsmtQtIfBfhu
6SMBGMDijK7OYfTtjQsCIQDWjvly6b6doVMdNjqqTsnA8J1ShjSb8bFXkMels941
fwIhAL4Rr7I3PMRtXmrfSa325U7k+Yd59KHofCpyFiAkNLgVAiB8JdR+wnOSQAOY
loVRgC9LXa6aTp9oUGxeD58F6VK9PwIhAIDhSxkrIatXw+dxelt8DY0bEdDbYzky
r9nicR5wDy2W
-----END PRIVATE KEY-----

PuTTY .ppk keys 

This key format is used by PuTTY SSH client and utilities and by many PuTTY-derived third-party applications such as WinSCP or FileZilla Client. To save keys using this format, specify SshPrivateKeyFormat.Putty (for PPK v2) or SshPrivateKeyFormat.PPK3.

Sample of private key in PPKv2 format:

PuTTY-User-Key-File-2: ssh-rsa
Encryption: aes256-cbc
Comment: ssh-rsa-key-20130321
Public-Lines: 4
AAAAB3NzaC1yc2EAAAADAQABAAAAgQCdcXVZbOo81pToHiqMQgeosK80OXd8uxmC
514Mbp3VHL7eUshv9DlZ/Kc6vCpbkPLnkezLzy4QF9wQCiCem3+KFNbvgQ32R1vd
ztguAIqrzzpoFjq2CPlyy7EuwmbI6k0xvcfAeU29MgnPk9/mkFFhW5084+9dwhz1
7BluYdJIEQ==
Private-Lines: 8
FyXPkB7XlUE2y9WP7wGqmSwMo5RUdoqRbJGkHzMrpMlOOw5KA8QaxiOGixcDYuH4
8gTO4d8grFHcbRgZ7aJUycTdQxrPm8cey1EPUqLP9u3aCZYAqIMhUs5hsq7ujsq9
sK+jfTfY5N4ukYP2DumBreRPgKAE4W+gh/j//pnlJGJDEn32SOaRkiLoy1DB3VZ8
Nv8BPEAKV5ILKwef66KkN9FXPmEz3XQljEDcLNmzUTYypBQZqlYKze6V2cbZRZgi
7IYFV6ZGX8PMFnpSzwzoYfWXp9KQk1kmSqZNqBZ8IRt0KSSBAu5arKuZAI/MFQPU
dwXyuZGt+4sP7pkE/1FuaMb8RENEyNcw/9mPKaJEcZuhtSqcwwZrXAULvca6BpdT
hQwLIkovPa19ZA+miqfZvjo6UUnQyEfMe4biCesl11c/PWGf4BcgbVogQ+oXu7Gh
iF1IoAoF/wqj0fiWX152wg==
Private-MAC: bf45cca7382e573717004e328c08a9ac49f3ecf2

OpenSSH/OpenSSL (SSLeay) keys 

SSLeay key format is used by OpenSSH and OpenSSL suites for storing encrypted RSA and DSA keys. To save keys using this format, specify SshPrivateKeyFormat.OpenSsh when calling SshPrivateKey.Save.

A sample of a private key in OpenSSH format:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,393C44619C5B62FB

g7l6jpFKUWqiU+7wvS+CRCpYygAchVIJTHmR9mTQwxQD6XUMMBfmLO+K6EgBGOt6
HxqTxQsAIAYtHQD370qQVC9aKF4Du2TkMiAlAiET6lyw7yEZeipkY46lJm74SvFJ
xo3dLERKJBcDfNDoBJK/zjJN9I2zfUT2DgPodJwzWCfnk4g+/wWD6wNOSGM57XjR
POQi4kJWI8zxX6v2REhybrfWwFxFaTpxMausotKa9R0hC+169DXGjnfXMPg6va6d
MUVPHKhoNzUInRWA1FPF+Vt9z5X2jQMGf4AJN7W65QE7Q0Boao+aOERKDVTzP1Ff
tRL6X0+BgXMjetqKGP0tJydiAVuP6vXEy1n8YrehUJSqNHJXT23o6kry/s7tMqzo
ke96suSNyQKmPPjFq4MKe+v+/9mQzA4UUcVWgCi2dqZxPhNsAzBXTyIrnFcPykOY
QPmdLMjpxeavbj8F5qZ8pREqDw+WpL8onI64udLFL3kjN5tCC9l3wHKDUJd6Q9y9
5gTKBnVcCRNvlKuLXbb7O5Z1hYKhpdqVJv8pLAhg2/BtTthseV8MjMnLEnbW6nSP
SPLlev76vk/QK6PIR9hQrJGrzXJDvcYEpXJ2YBcgvEIbKR/eFAsPeM4Gin00M6Rj
cDSO6p2ymxpiZ4AdDvgjkTkAx7ZXkxwrr7rRTOgyZZvuY/CpJbW4gs9a+zej5U77
RtWIHj+XZWvTQDPX5VcqDtE/C/bcsM9OQB019rkEcgDjKDtu9uWfDscSCxzMwfCi
xHrpJwudVCF3M6WAvfuB0SLc6UCBALHbln2SksaC+7teUwJP9XD8hg==
-----END RSA PRIVATE KEY-----

New OpenSSH keys 

New OpenSSH format is used by OpenSSH for storing encrypted or unencrypted ECDSA and Ed25519 keys, although it supports other key algorithms as well. To save keys using this format, specify SshPrivateKeyFormat.NewOpenSsh when calling SshPrivateKey.Save.

A sample of a private key in the new OpenSSH format:

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABAxBix87d
JvVrEotmWsbAZwAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIPKKmhHgVw5SM8IH
uo2XalsMHXvDwBxA7vL+TG/CACK9AAAAkNWU8rq/ToxIgS2BXVJNJI8SI8qHehGmUGEmMI
A+w+bpKwhfWj/Z24DHXrtdPpeTbUT7KHODlBu+StJpN1vtW5kNSuMpE9fL+0GEIasIDsEY
9xD1sLtGAy0pMR6yzB3EW2OEZE8NoTCKJ0Xq18km8Uo1KG8naT2DeSEDzuHSP6NQWkJx5k
BmP6jMW98HAsSIQA==
-----END OPENSSH PRIVATE KEY----- 

Public keys 

Each SshPrivateKey object contains a corresponding public key as well. It can be saved using the PrivateKey.SavePublicKey method in one of the following formats:

  • SshPublicKeyFormat.Ssh2Raw - raw (binary) SSH2 public key format.
  • SshPublicKeyFormat.Ssh2Base64 - base64-encoded SSH2 public key format.

A sample of a public key in SSH2 base64-encoded format:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "Saved by Rebex SSH"
AAAAB3NzaC1yc2EAAAADAQABAAAAgQCOL8eACGWoXm6kSDWiN5mfasdXyaNzMSzi
OZUbybHSPhMMrqYvtaCn2wI5GQUE6XIV4wwRPbV6OtyGcXyU/gJ6I62ugWU2s6yW
2UsiolDkKHnildC98Hli94xfSVQgavVy4/ECCdHJIn4+qTjLkkMzkvr67BjpVwbU
TjjQHipRkQ==
---- END SSH2 PUBLIC KEY ----

SSH key generation 

Pairs of private and public key can be generated easily using the SshPrivateKey class:

// generate a 1024bit RSA key pair
var privateKey = SshPrivateKey.Generate(SshHostKeyAlgorithm.RSA, 1024);

// save the private key in Base64-encoded PKCS #8 format
privateKey.Save(@"C:\MyData\key_rsa.pem", "key_password", SshPrivateKeyFormat.Pkcs8);

// save the public key in Base64-encoded 'SSH2 PUBLIC KEY' format
privateKey.SavePublicKey(@"C:\MyData\key_rsa.pub", SshPublicKeyFormat.Ssh2Base64);
' generate a 1024bit RSA key pair
Dim privateKey = SshPrivateKey.Generate(SshHostKeyAlgorithm.RSA, 1024)

' save the private key in Base64-encoded PKCS #8 format
privateKey.Save("C:\MyData\key_rsa.pem", "key_password", SshPrivateKeyFormat.Pkcs8)

' save the public key in Base64-encoded 'SSH2 PUBLIC KEY' format
privateKey.SavePublicKey("C:\MyData\key_rsa.pub", SshPublicKeyFormat.Ssh2Base64)
The generated key can be used as a server key or a client key.

Conversion between formats 

SshPrivateKey object can be used to convert one private key format to another:

// load a private key in any format (PKCS #8 or OpenSSH, for example)
var privateKey = new SshPrivateKey(@"C:\MyData\key_pkcs8.pem", "key_password");

// save the private key in PuTTY .ppk format
privateKey.Save(@"C:\MyData\my_key.ppk", "key_password", SshPrivateKeyFormat.Putty);
' load a private key in any format (PKCS #8 or OpenSSH, for example)
Dim privateKey = New SshPrivateKey("C:\MyData\key_pkcs8.pem", "key_password")

' save the private key in PuTTY .ppk format
privateKey.Save("C:\MyData\my_key.ppk", "key_password", SshPrivateKeyFormat.Putty)

Certificate-based private keys 

X.509 certificates can be used with SSH as well. Unfortunately, most third-party SSH clients and servers don't support RFC 6187 which specifies the relevant algorithms.

X.509 certificates are supported by Rebex SFTP and by PKIX-SSH (a fork of OpenSSH).
// load an X.509 certificate from a PFX file
var cert = Rebex.Security.Certificates.Certificate.LoadPfx(certPath, password);

// create an SshPrivateKey from the certificate
SshPrivateKey privateKey = new SshPrivateKey(cert);
' load an X.509 certificate from a PFX file
Dim cert = Rebex.Security.Certificates.Certificate.LoadPfx(certPath, password)

' create an SshPrivateKey from the certificate
Dim privateKey As New SshPrivateKey(cert)

AsymmetricAlgorithm-based private keys 

If you can only access your private key using .NET's RSACryptoServiceProvider, RSACng DSACryptoServiceProvider or ECDsa objects, you can pass these to SshPrivateKey constructor to make them usable for authentication:

// create and initialize a .NET CSP object
var rsa = new RSACryptoServiceProvider();
rsa.ImportParameters(parameters);

// create a private key from the CSP object
var privateKey = new SshPrivateKey(rsa);
' create and initialize a .NET CSP object
Dim rsa As New RSACryptoServiceProvider()
rsa.ImportParameters(parameters)

' create a private key rom the CSP object
Dim privateKey As New SshPrivateKey(rsa)

This technique is useful for accessing and utilizing non-exportable private keys stored in Windows private key stores or on SmartCards.

Using keys on smart cards 

Keys on SmartCards are usually accessible using .NET's RSACryptoServiceProvider, RSACng DSACryptoServiceProvider or ECDsa objects. To utilize them for SSH authentication, use the approach described in the previous section.

If the smart card is secured by a PIN, it might possible to set the PIN programmatically to suppress the dialog window.

Back to feature list...