Users of SSH clients know to trust specific machines because their keys will match publicly available SSH fingerprints. As part of the instructions you give your clients, you SHOULD be distributing the fingerprint of your MOVEit Transfer SSH server so your clients can confirm the identity of your server. (Without this protection, anyone could spoof this or any other SSH server.)

Note: Clients with public key of the MOVEit Transfer server already installed as a known host provides a more secure alternative and will make the fingerprint validation unnecessary.

The following OpenSSH session shows this mechanism in action. Specifically, OpenSSH asks the end user if they want to trust the remote server after displaying the MD5 hash of the remote server's SSH server key.

d:\>sftp sshftpuser@moveit.myorg.com 
Connecting to moveit.myorg.com... 
The authenticity of host 'moveit.myorg.com (33.44.55.66)' can't be established. 
RSA key fingerprint is b4:51:8a:9c:5d:7e:98:db:f0:88:08:52:31:b4:a0:1e. 
Are you sure you want to continue connecting (yes/no)? yes 
sshftpuser@moveit.myorg.com's password:

The MOVEit Transfer SSH key is automatically generated the first time the server is started and an associated fingerprint is created at the same time. To view your MOVEit Transfer SSH key fingerprint log into a Windows console on your MOVEit Transfer server. Open Start -> All Programs -> MOVEit Transfer -> MOVEit Transfer Config and navigate to the SSH tab to view your MOVEit Transfer SSH key MD5 hash.

Server Key Backup

The MOVEit Transfer SSH server key is stored encrypted in the registry under the SSHServer\PrivKey registry entry. Any registry backup, including the registry backup performed by the Backup/Restore Utility, will back up this key.

Server Key Export

To export the MOVEit Transfer public SSH server key in either OpenSSH or SSH2 format, see the related instructions in SFTP - Configuration.

Requirements

MOVEit Transfer only supports FTP over SSH (or SFTP) and SCP2. SCP (SCP1) and all Terminal sessions will be denied access.

Troubleshooting

If the SSH user is connecting to MOVEit with the correct username but the administrator does not see any SSH public key entries in the audit logs, it is likely that the end user has NOT yet generated a public/private key pair for SSH. End users can often use the ssh-keygen -t rsa command to generate these keys, but they should be advised to NOT enter a passphrase when prompted during the key generation; if a passphrase is entered it will be asked for during each subsequent attempt to connect and will block attempts to automate the sign-on workflow.