Versions Compared

Old Version 1

changes.mady.by.user Stonebranch

Saved on

compared with

New Version 2

changes.mady.by.user Stonebranch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In this tutorial, you will:

  • Configure a local SFTP server to allow host-based authentication for certain accounts.

  • Check that the server is refusing to serve connections for invalid combination of account and keys.

  • The client connection is performed by UDMG client partner as explained in the Tutorial - Using Host-Based Authentication for an SFTP Partner


To configure host-based authentication for an SFTP server, several configuration parameters are set to mimic the behaviour of the known_hosts and .shosts files in a traditional SSH environment, where the public keys and the authorized users for a given client host are configured.

Step 1

From the UDMG navigation pane, select Management > Servers. The Server list displays.

Step 2

Select the stonebranch-sftp-01 server and note the address 0.0.0.0 and port 4000 on the Server details tab.

Step 3

Select the Configuration tab and click on the add button (with the plus sign) next to the Host-based authentication label. A Client Details window appears:

Step 4

  • In Host Name field, input a comma separated list of the hostnames or IP addresses that are allowed to authenticate using this public key.

Note:
  • Note

    hostnames are matched without considering the port, so there is no need to specify the incoming port (e.g.: hostA.example.com should be used instead of [hostA.example.com]:2222 for a server running on port 2222).
    For the tutorial, type 0.0.0.0

  • In Key Algorithm field, the algorithm used to generate the public key: ssh-rsa

  • In Public Key field, paste the client public key: from the file stonebranch-client-01.crt.pub, only the key value without the comment and the algorithm label

  • In Account field, select a server local account for which the host-based authentication will be enabled for connection from this client: stonebranch-01

  • In the Remote Users field, input a list of remote users which are allowed to connect to this local account: stonebranch-01

  • Additional mappings of local accounts and remote users can be added with the ‘plus’ button.


Step 5

Click Confirm to close the Client Details window

Step 6

Click Save and Confirm to store the updated server configuration


Step 7

Restart the MFT Waarp Gateway service.

For exmple on Linux:

Panel

systemctl

restart

mft_waarp_gateway

The local SFTP server is restarted with the new configuration and the restricted list of encryption algorithms.

Step 8

Verify that the server accepts host-based authentication attempts:

Panel

$

sftp

-v

\


-o

"PubkeyAuthentication=no"

-o

"PasswordAuthentication=no"

\


-o"HostbasedAuthentication=yes"

-o

"HostbasedKeyTypes=ssh-rsa"

\


-P

4000

stonebranch-01@0.0.0.0

2>&1

|grep

hostbased


debug1:

Authentications

that

can

continue:

password,publickey,hostbased


debug1:

Next

authentication

method:

hostbased


debug1:

userauth_hostbased:

trying

hostkey

ssh-rsa

SHA256:CYzKciuXNJBKSolgD6F/fQZOXDd6tObHz/d1x4E0OgA


debug1:

Authentications

that

can

continue:

password,publickey,hostbased


debug1:

No

more

client

hostkeys

for

hostbased

authentication.


Permission

denied

(password,publickey,hostbased).


Step 9

To verify the connection to the local UDMG server, either configure your favorite SFTP client with the client key and the parameters that are defined on the server in Step 4

or follow the tutorial “Tutorial - Using Host-Based Authentication for an SFTP Partner” on how to setup a UDMG remote partner with host-based authentication and perform sample file transfer between the UDMG server and partner.

References: