Versions Compared

Old Version 1

changes.mady.by.user Stonebranch

Saved on

compared with

New Version 2

changes.mady.by.user Stonebranch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In this tutorial, you will:

  • Allow the configuration of SFTP servers and partners with the legacy SFTP algorithms 
  • Configure an SFTP partner to explicitly enable the use of a legacy cipher algorithm.

Step 1

Edit the UDMG Server configuration file and set the AllowLegacyCiphers parameter to true:

[sftp]
; Set to true to allow legacy and weak cipher algorithms: 3des-cbs,aes128-cbc,arcfour,arcfour128,arcfour256,blowfich-cbc
AllowLegacyCiphers = true

Step 2

Restart the MFT Waarp Gateway linux service. The legacy ciphers are globally allowed but not used by default.

systemctl restart mft_waarp_gateway
Step 3Login to UDMG Admin UI and navigate to Management > Partners
Step 4
Create a new partner wftpserver with the address demo.wftpserver.com and port 2222

Select the partner rebex from Tutorial - Creating an SFTP Partner

Step 5

With a specific tool or with the verbose mode of sftp client, check what are the algorithm that the

rmote

remote partner is supporting for cipher algorithms.

For example, with a linux sftp (OpenSSH_7.4p1): 

Code Block
$ sftp -vv -c aes128-cbc -
P
o
2222
NumberOfPasswordPrompts=0
demo
dummY@test.
wftpserver
rebex.
com
net 2>&1 |grep -A 6 'server KEXINIT proposal' |grep -v stoc
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-
nistp256
nistp521,ecdh-sha2-nistp384,ecdh-sha2-
nistp521
nistp256,diffie-hellman-group16-sha512,diffie-hellman-
group18
group15-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-
sha1
sha256,diffie-hellman-
group1
group14-sha1,ext-info-s
debug2: host key algorithms: ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,ssh-rsa-sha256@ssh.com,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: aes256-
ctr
gcm@openssh.com,
aes192
aes128-
ctr
gcm@openssh.com,
aes128
aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-
cbc
ctr,
3des
aes128-cbc,chacha20-poly1305@openssh.com,twofish256-ctr,twofish192-ctr,twofish128-ctr
debug2: MACs ctos:
hmac-sha2-256,
hmac-sha2-512
,hmac
-
sha1
etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512
-etm@openssh.com
,hmac-sha2-256,hmac-sha1,hmac-sha1-
etm@openssh.com
96

This shows that several algorithms are supported for each category and especially the legacy

ciphers

cipher 'aes128-cbc'

and '3des-cbc'

.

Step 6

On the UDMG Server panel, click on the Configuration tab.

The gray dot on the tab shows that configuration is still the default, all available algorithms are supported by the server and proposed to the clients

.In the Encryption Algorithms dropdown list, pick aes128-cbc

.

  • In the MAC algorithms,
select hmac-sha2-256 (this is to disable the 
, that
  •   (as it would be enabled otherwise)
  • In the Encryption Algorithms, select aes128-cbc.


    Note

    Note: the MAC algorithm hmac-sha2-256-etm@openssh.com is not compatible with the CBC encryption algorithms (aes128-cbc, 3des-cbc, blowfich-cbc).

    Transfer attempts for such a combination of algorithms will raise an error 'Error on remote partner: ssh: handshake failed: ssh: packet too large'.


Step 7Click Save and Confirm.

Step 8

The partner configuration is updated, The green dot on the tab shows that the configuration is customized.

Image Added


Perform a file download, for instance here with the command line client.

Code Block
$ waarp-gateway transfer add -f readme.txt -w receive -p rebex -l demo -r rebex_receive
The transfer of file readme.txt was successfully added with ID 187.

$ waarp-gateway transfer get 187
● Transfer 187 (receive as client) [DONE]
    Remote ID:         1631341630940250112
    Protocol:          sftp
    Rule:              rebex_receive
    Requester:         demo
    Requested:         rebex
    Local filepath:    /data/in/readme.txt
    Remote filepath:   /readme.txt
    File size:         405
    Start date:        2023-03-02 17:12:08.335589 +0000 UTC
    End date:          2023-03-02 17:12:15.336517 +0000 UTC
    Bytes transferred: 405
    Transfer values:
      - udmg_sftp_client_version: SSH-2.0-Go
      - udmg_sftp_config_ciphers: [aes128-cbc]
      - udmg_sftp_config_kex: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group-exchange-sha256 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1]
      - udmg_sftp_config_mac: [hmac-sha1 hmac-sha1-96 hmac-sha2-256]
      - udmg_sftp_failed_auth_methods: [none]
      - udmg_sftp_hostkey_algo: ssh-rsa
      - udmg_sftp_kex_algo: curve25519-sha256@libssh.org
      - udmg_sftp_read_algos: map[cipher:aes128-cbc compression:none mac:hmac-sha1]
      - udmg_sftp_server_version: SSH-2.0-RebexSSH_5.0.8208.0
      - udmg_sftp_sucessful_auth_methods: password
      - udmg_sftp_write_algos: map[cipher:aes128-cbc compression:none mac:hmac-sha1]
      - udmg_xfer_log: /config/logs/187.log

[ec2-user@ip-172-31-2-90 ~]$ waarp-gateway transfer get 187|grep cipher
      - udmg_sftp_config_ciphers: [aes128-cbc]
      - udmg_sftp_read_algos: map[cipher:aes128-cbc compression:none mac:hmac-sha1]
      - udmg_sftp_write_algos: map[cipher:aes128-cbc compression:none mac:hmac-sha1]


By checking the result after the completion with the get command, the transfer info metadata shows which encryption algorithm was configured on the client side (udmg_sftp_config_ciphers) and which algorithms were negotiated with the server (udmg_sftp_read_algos and udmg_sftp_write_algos. This confirm that the legacy cipher was used.


This is also displayed on the Admin UI Transfer Details:

Image Added