How does SFTP function without a manually generated public/private key pair

Short answer: there is necessarily a public/private key pair on the server. There may be a public/private key pair on the client, but the server may elect to authenticate clients with passwords instead,


SSH is a generic tunnel mechanism, in which some "application data" is transferred. One such application is the "remote shell" which is used to obtain an open "terminal" on a server, in which terminal applications can be run. Another, distinct application is the file transfer protocol known as SFTP. From the SSH point of view, which application is used is irrelevant. This means that any authentication concept applies equally to SSH (the "remote shell" part) and SFTP.

The server MUST have a public/private key pair. That key is used for the tunnel part, so a server will use the same key pair for all applicative protocols. Most Unix-like operating systems (e.g. Linux) create a SSH key pair when first installed, and will use it thereafter. This means that you don't have to "create a key" when you configure your SSH server to also be used as SFTP: the server already has a key.

A client may have a public/private key pair if it wishes to be authenticated based on that key; this is all about client authentication, i.e. about how the server will make sure that it is talking to the right client. Password-based authentication and key-based authentication are the two most common methods (some servers are configured to require both). By definition, only the key-based authentication requires that the client stores and uses a key pair of its own.


It's able to function because the keypair already exists on the server. The SSH server has the keys necessary to protect the information in transit. SSH server will use a public key, that client device uses the public key to encrypt information sent to the server. The server then uses its private key to decrypt that information and process.

See http://www.slashroot.in/secure-shell-how-does-ssh-work


In SSH, you have two sets of key pairs: one for the server and one for the users.

The server key pair is mandatory but it is typically generated during the installation of the server: all you have to do is validate the server public key fingerprint (a simple hash) and, as long as the key is unchanged, your client will silently connect.

The key pair you use for authenticating, however, can be optional (or disallowed) depending on what authentication method you've decided to allow or require on the server.

The Wiki article on SSH has plenty of juicy details but, to summarise, there are 4 supported authentication mechanism:

  • Password requires a username and password combination
  • Public key requires acess to the private part of the public key you use for authentication (typically, you setup the key pair on the client and just update the server configuration with your public key).
  • Keyboard interactive is mostly used for one-time passwords and similar.
  • GSSAPI, a framework used for implementing other authentication scheme, usually to implement single sign-on (most notably Kerberos)