In this tutorial, you will:
...
To configure host-based authentication for an SFTP server, several configuration parameters are set to mimic the behaviour behavior of the known_hosts
and .shosts
files in a traditional SSH environment, where the public keys and the authorized users for a given client host are configured.
Step 1 | From the UDMG UDMG navigation pane, select Management > Servers. The Server list displays. |
---|
Step 2 | Select the stonebranch-sftp-01 server and note the address 0.0.0.0 and port 4000 on the Server details tab. |
---|
Step 3 | Select the Configuration tab and click on the add button (with the plus sign) next to the Host-based authentication label. A Client Details window appears: Image Removed Image Added
|
---|
Step 4 | In Host Name field, input a comma separated list of the hostnames or IP addresses that are allowed to authenticate using this public key. Note |
---|
hostnames are matched without considering the port, so there is no need to specify the incoming port (e.g.: hostA.example.com should be used instead of [hostA.example.com]:2222 for a server running on port 2222). For the tutorial, type 0.0.0.0 |
In Key Algorithm field, the algorithm used to generate the public key: ssh-rsa In Public Key field, paste the client public key: from the file stonebranch-client-01.crt.pub, only the key value without the comment and the algorithm label In Account field, select a server local account for which the host-based authentication will be enabled for connection from this client: stonebranch-01 In the Remote Users field, input a list of remote users which are allowed to connect to this local account: stonebranch-01 Additional mappings of local accounts and remote users can be added with the ‘plus’ button.
Image Removed Image Added
|
---|
Step 5 | Click Confirm to close the Client Details window |
---|
Step 6 | Click Save and Confirm to store the updated server configuration Image Removed. The configuration tab is now marked with a green dot to indicate that specific settings are configured for the server. Image Added
|
---|
Step 7 | Restart the MFT Waarp Gateway service. For exmple on Linux: Panel |
---|
systemctl restart mft_waarp_gateway the server with the restart button. The local SFTP server is restarted with the new configuration and the restricted list of encryption algorithms. |
---|
Step 8 | Verify that the server accepts host-based authentication attempts: Panel |
---|
$ sftp -v \
-o "PubkeyAuthentication=no" -o "PasswordAuthentication=no" \
-o"HostbasedAuthentication=yes" -o "HostbasedKeyTypes=ssh-rsa" \
-P 4000 stonebranch-01@0.0.0.0 2>&1 |grep hostbased
debug1: Authentications that can continue: password,publickey,hostbased
debug1: Next authentication method: hostbased
debug1: userauth_hostbased: trying hostkey ssh-rsa SHA256:CYzKciuXNJBKSolgD6F/fQZOXDd6tObHz/d1x4E0OgA
debug1: Authentications that can continue: password,publickey,hostbased
debug1: No more client hostkeys for hostbased authentication.
Permission denied (password,publickey,hostbased).
|
|
---|
Step 9 | To verify the connection to the local UDMG server, either configure your favorite SFTP client with the client key and the parameters that are defined on the server in Step 4 or follow the tutorial “Tutorial “Tutorial - Using Host-Based Authentication for an SFTP Partner” Partner” on how to setup a UDMG remote partner with host-based authentication and perform sample file transfer between the UDMG server and partner. |
---|
...