AWS Transfer for SFTP
User Guide

Generating SSH Keys

You can set up your SFTP server to authenticate users using the service-managed authentication method, where user names and SSH keys are stored within the service. The user's public SSH key is uploaded to the SFTP server as a user’s property. The SFTP server uses this key as part of a standard key-based authentication process. Each user can have multiple public SSH keys on file with an individual server. For limits on number of keys that can be stored for each user, see AWS Transfer for SFTP Limits in the AWS General Reference.

An SFTP server can only authenticate users using a single method, and you can't change that method after the server is created. Instead of using SSH keys, you can authenticate users using a custom identity provider. By using this approach, you can plug in an existing identity provider using an Amazon API Gateway endpoint. For more information, see Authenticating Using Custom Identity Providers.

You can create an SSH key pair in many ways. On the macOS, Linux, or UNIX operating systems, you can use the ssh-keygen command at the command line interface, as shown following.

ssh-keygen -P "" -f key_name

The following shows ssh-keygen output for the command preceding.

When you run the ssh-keygen command as shown preceding, it creates the public and private keys as files in the current directory.

Creating SSH Keys on Microsoft Windows

Windows uses a slightly different SSH key pair format. The public key must be in the PUB format, and the private key must be in the PPK format. On Windows, you can use PuTTYgen to create an SSH key pair in the appropriate formats. You can also use PuTTYgen to convert a private key generated using ssh-keygen to a .ppk file. If you present WinSCP with a private key file not in .ppk format, that SFTP client offers to convert the key into .ppk format for you.

For a tutorial on creating SSH keys using PuTTYgen on Windows, see the website.