🇯🇵 日本語 | 🇺🇸 English | 🇪🇸 Español | 🇵🇹 Português | 🇹🇭 ไทย | 🇨🇳 中文

A Complete Guide to SFTP Connections and Public Key Authentication in WinSCP

WinSCP is an essential file transfer tool for website development. In this article, we'll carefully explain everything from the basic steps for a secure SFTP connection to setting up the more secure "public key authentication," complete with images (concepts). We'll break down technical terms and provide copy-and-paste code. Let's get it working together! 🚀

The Basics of WinSCP and SFTP

First, let's review the fundamentals.

What is WinSCP?

WinSCP is an open-source file transfer client that runs on Windows. It's used to securely exchange files between your local computer (your PC) and a remote server (the computer where your website is hosted). Its intuitive drag-and-drop interface is a major plus.

What is SFTP?

SFTP (SSH File Transfer Protocol) is a protocol (a set of communication rules) for sending and receiving files in an encrypted format. Unlike the older FTP, all communication is encrypted, preventing data from being intercepted or altered by third parties, making it extremely secure. SFTP is the standard for modern web development.

Basic SFTP Connection (Password Authentication)

First, let's try the simplest connection method: using a password for SFTP. It's easy—you just need to enter the information provided when you signed up for your server.

  1. When you launch WinSCP, the login screen will appear.
  2. Select "New Site" and enter the following information:
    • File protocol: SFTP
    • Host name: Your server's hostname or IP address (e.g., `example.com`)
    • Port number: 22 (This is the standard port for SFTP, but it may differ depending on your server)
    • User name: Your server's username (e.g., `user01`)
    • Password: Your server's password
  3. Once you're done, click the "Save" button. You'll be prompted for a site name; give it an easily recognizable name (e.g., `My Website`) and click OK.
  4. From now on, you can simply select the saved site name and click "Login" to connect.

That's all it takes to connect to the server and start uploading or downloading files. However, to further enhance security, the next step, "public key authentication," is strongly recommended.

【The Main Event】Full Steps to Set Up Public Key Authentication in WinSCP

Password authentication is convenient, but it carries the risk that anyone with your password can access your server. This is where public key authentication comes in. It's a more advanced and secure method that uses a "key" and "lock" pair for authentication.

There are a few steps involved, but don't worry if you follow them one by one. If you follow this guide, you'll be able to set it up successfully!

Step 1: Create a Key Pair (Public and Private Keys)

First, you'll create a "key pair" on your own PC to use for authentication. WinSCP comes bundled with a tool called "PuTTYgen" for creating keys.

  1. From the bottom of the WinSCP login screen, go to "Tools" and select "Run PuTTYgen."
  2. Once PuTTYgen launches, ensure that the "Type of key to generate" at the bottom of the window is set to "RSA," and click the "Generate" button.
  3. When you see the message "Please generate some randomness by moving the mouse over the blank area," move your mouse cursor randomly. This will generate a unique, unpredictable key.
  4. When the progress bar is full, the key generation is complete.

🔑 Set and Save Key Information

Once the key is generated, you need to configure a few things.

  1. Copy the public key: The string in the text box at the top of the window labeled "Public key for pasting into OpenSSH authorized_keys file" (`ssh-rsa AAAA...`) is your public key. You will need to set this on your server later, so copy and paste all of it into a text editor for now.
  2. Key passphrase: Enter a password in the "Key passphrase" and "Confirm passphrase" fields. This is the password for using your private key. It's crucial because even if someone gains unauthorized access to your PC, they can't log in to the server without this passphrase. Be sure to set one.
  3. Save the private key: Click the "Save private key" button. You will get a warning about saving it without a passphrase if you didn't set one, but proceed by clicking "Yes". Name the file something recognizable, like "my-private-key," and save it to a secure location on your PC. You must never give this `.ppk` file to anyone.
  4. (Optional) Save the public key: You can also save the public key as a file using the "Save public key" button, but for this guide, we'll use the string you copied earlier.

Now, you should have the "private key" (.ppk file) on your PC and the "public key" (the string starting with ssh-rsa) in your notes.

Step 2: Place the Public Key on the Server

Next, you'll install the public key you just created on the server. This action tells the server, "Allow access to anyone who has the private key corresponding to this public key."

First, log in to the server once using password authentication. (If password authentication is disabled on your server, you'll need to ask your server administrator to install the public key for you.)

Once connected to the server with WinSCP, open the terminal (the black screen) by going to the top menu "Commands" -> "Open Terminal" or by pressing `Ctrl+T`. Then, execute the following commands one by one in order.

1. Create and Set Permissions for the SSH Configuration Directory

Create a dedicated directory (folder) `~/.ssh` to store the public key and set its permissions so that only the owner can read, write, and execute. This is a crucial security step.

mkdir -p ~/.ssh && chmod 700 ~/.ssh

2. Write the Public Key to the authorized_keys File

Next, append the public key to a file named `authorized_keys`. Users with a public key listed in this file will be allowed access. Replace `"Paste your public key here"` in the command below with your own public key (the long string starting with `ssh-rsa AAAA...`) that you copied from PuTTYgen before running it.

echo "Paste your public key here" >> ~/.ssh/authorized_keys

3. Set Permissions for the authorized_keys File

Finally, set the permissions of the created `authorized_keys` file so that only the owner can read and write to it. This is also a mandatory security setting.

chmod 600 ~/.ssh/authorized_keys

That completes the server-side configuration! You can now close the terminal.

Step 3: Configure WinSCP with the Private Key and Connect!

This is the final step. We'll tell WinSCP, "Use this private key to connect."

  1. Return to the WinSCP login screen, select the site you want to configure, and click the "Edit" button.
  2. Leave the password field blank.
  3. Click the "Advanced..." button. The Advanced Site Settings window will open.
  4. From the tree on the left, select "SSH" -> "Authentication."
  5. In the "Authentication parameters" section, click the "..." button to the right of the "Private key file" field.
  6. A file selection dialog will open. Select your private key file (.ppk file) that you saved in Step 1.
  7. Click the "OK" button to close the advanced settings, and then click "Save" on the login screen to update the configuration.

Now you're all set! Try clicking the "Login" button.

Instead of a password prompt, you should see a prompt that says, "Enter passphrase for key." Here, enter the passphrase you set in Step 1.

If the server's file list appears successfully, your SFTP connection with public key authentication is a success! 🎉

Use Cases: The Benefits of Public Key Authentication

  • Improved Security: It is much stronger against attacks like password brute-forcing. Since logging in is impossible without the private key, it is significantly more secure than password-only authentication.
  • Managing Multiple Servers: By registering the same public key on multiple servers, you can log in to many servers with a single private key (and passphrase), making management easier.
  • Integration with Automation: When combined with scripts (as discussed later), you can build safer automated processes without needing to write passwords directly in them.

Points to Watch Out For ⚠️

  • Strict Management of the Private Key: The private key file (.ppk) is your access pass itself. Never show it, give it to others, or upload it to public repositories (like GitHub). Managing it physically on a USB drive is a good practice.
  • Importance of the Passphrase: If you don't set a passphrase, anyone who gets ahold of your private key file can log in to the server without a passphrase. Always set a complex passphrase.
  • Server-Side SSH Configuration: The steps in this guide assume that SSH connections and public key authentication are enabled on the server. If you can't connect, you may need to check the server's `sshd_config` file settings or contact your hosting service's support.

Conclusion: Master Secure File Transfers!

In this guide, we've covered everything from a basic SFTP connection using WinSCP to setting up more secure public key authentication. It might seem a bit challenging at first, but once you set it up, your future file management will be much more secure and convenient.

As a web creator, protecting your clients' valuable data is a crucial responsibility. Take this opportunity to master public key authentication and implement a higher level of security in your workflow.