...
- Configure a local SFTP server to only use certain algorithms.
- Check that the server is refusing to serve connections for other algorithms.
By default, the following algorithms are enabled.
- curve25519-sha256@libssh.org
- ecdh-sha2-nistp256
- ecdh-sha2-nistp384
- ecdh-sha2-nistp521
- diffie-hellman-group1-sha1 (deprecated)
- diffie-hellman-group14-sha1 (deprecated)
- aes128-gcm@openssh.com
- chacha20-poly1305@openssh.com
- aes128-ctr
- aes192-ctr
- aes256-ctr
The following ones can be enabled globally with the configuration parameter 'AllowLegacyCiphers', but still need to be enabled explicitly per server, see Tutorial - Use a Legacy Encryption Algorithm for an SFTP Partner
- arcfour256
- arcfour128
- aes128-cbc
- 3des-cbc
- blowfish-cbc
- hmac-sha2-256-etm@openssh.com
- hmac-sha2-256
- hmac-sha1 (deprecated)
- hmac-sha1-96 (deprecated)
Step 1 | From the UDMG navigation pane, select Management > Servers. The Server list displays. | ||
---|---|---|---|
Step 2 | Select the stonebranch-sftp-01 server and note the address 0.0.0.0 and port 4000 on the Server details tab. | ||
Step 3 | With a specific tool or with the verbose mode of sftp client, check what are the algorithm that the local server is supporting for cipher, key exchange and MAC algorithms. For example, with a linux sftp (OpenSSH_7.4p1):
This shows that several algorithms are supported for each category. | ||
Step 4 | On the UDMG Server panel, click on the Configuration tab. The gray dot on the tab shows that configuration is still the default, all available algorithms are supported by the server and proposed to the clients.
| ||
Step 5 | Click Save and Confirm. | ||
Step 6 | The server configuration is updated, The green dot on the tab shows that the configuration is customized. | ||
Step 7 | Restart the server with the restart button. | ||
Step 8 | Click on the MFT Server Status button to show the list of running services. The server stonebranch-sftp-01 should be listed with a green status. | ||
Step 9 | Check that the server does not allow connection with other algorithms, for example with encryption cipher
| ||
Step 10 | Check that the server only offers the algorithms that were selected in the configuration tab:
|
...