Hi,

   I am using libcurl to implement a SFTP client, and I encountered a
security problem about SFTP authentication by keys.

   Scenario:
   Local machine OS: Sun solaris
   Remote SFTP server OS: Sun solaris
   Key generation: on local machine, public key ***.pub
and private key are created.
   Key deployment: ***.pub is added in
~/.ssh/authorized_keys on remote SFTP server.

   Interactive command to log on remote SFTP server
   In this case, I can use command "ssh host -i privateKey" to log on
remote SFTP server. In another word, I only need private key to do
authentication.

   Use libcurl to log on remote SFTP server
   But when I use libcurl to make SFTP connection, I am asked to give
both public key and private key. In source code, option
"CURLOPT_SSH_PUBLIC_KEYFILE" and "CURLOPT_SSH_PRIVATE_KEYFILE" musted be
provided simultaneously. Otherwise, SFTP authentication will failed for
some reason.

   As far as I know in PKI system, user only needs one key to make
authentication. So I want to know in the scenario above, whether both
public keys and private keys should be provied anyway; or whether there
is some other option should be set firstly, then only private keys will
be asked.

   The attachment is SFTP connection log (failed with only private key)
Thanks a lot.

  <<sftp.log>>
Regards,
Atlantis

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html