DSM-G600, DNS-3xx and NSA-220 Hack Forum

Hello,

I am very limited in my knowledge of Linux/SSH/SFTP stuff so please bare with me. I followed this guide http://dns323.kood.org/howto:vsftpd to install VSFTP. Everything pretty much works however I am a little concerned as to how easy it was. My understanding of sftp is that when you remotely log in you need to have your private key file on the system that your logging in from. However, I've tried in two different places 1) using FireFTP outside the network and 2) using an Android phone .. and I am able to log in without specifying "Private Key". Is it supposed to work this way?

In the VSFTP setup there are a few lines I noticed:
#file to keep all users able to access ftp
userlist_file=/ffp/etc/vsftpd/vsftpd.user_list
#point to your certificate and key
rsa_cert_file=/ffp/etc/vsftpd/xxx.crt
rsa_private_key_file=/ffp/etc/vsftpd/xxx.key

Do these lines mean that when I attempt to log in to the DNS using username 'xyz' it checks vsftpd.user_list to see if 'xyz' exists, and if that is true the rsa_private_key_file is used? So the user never needs a private key file as it is hosted on the DNS itself? In all my readings of SSH/SFTP I never came across such a setup.

So when I log in my username/password is being encrypted even though I am not specifying "Private Key"?

Thank you!

Matt.