In this tutorial, you will:
Configure a local SFTP server to allow host-based authentication for certain accounts.
Check that the server is refusing to serve connections for invalid combination of account and keys.
The client connection is performed by UDMG client partner as explained in the Tutorial - Using Host-Based Authentication for an SFTP Partner.
To configure host-based authentication for an SFTP server, several configuration parameters are set to mimic the behaviour of the known_hosts
and .shosts
files in a traditional SSH environment, where the public keys and the authorized users for a given client host are configured.
Step 1 | From the UDMG navigation pane, select Management > Servers. The Server list displays. |
---|
Step 2 | Select the stonebranch-sftp-01 server and note the address 0.0.0.0 and port 4000 on the Server details tab. |
---|
Step 3 | Select the Configuration tab and click on the add button (with the plus sign) next to the Host-based authentication label. A Client Details window appears: Image Added
|
---|
Step 4 | |
---|
Note: hostnames are matched without considering the port, so there is no need to specify the incoming port (e.g.: hostA.example.com should be used instead of [hostA.example.com]:2222 for a server running on port 2222). For the tutorial, type 0.0.0.0 |
In Key Algorithm field, the algorithm used to generate the public key: ssh-rsa In Public Key field, paste the client public key: from the file stonebranch-client-01.crt.pub, only the key value without the comment and the algorithm label In Account field, select a server local account for which the host-based authentication will be enabled for connection from this client: stonebranch-01 In the Remote Users field, input a list of remote users which are allowed to connect to this local account: stonebranch-01 Additional mappings of local accounts and remote users can be added with the ‘plus’ button.
Image Added
|
Step 5 | Click Confirm to close the Client Details window |
---|
Step 6 | Click Save and Confirm to store the updated server configuration Image Added
|
---|
Step 7 | Restart the MFT Waarp Gateway service. For exmple on Linux: |
---|
The local SFTP server is restarted with the new configuration and the restricted list of encryption algorithms. |
Step 8 | Verify that the server accepts host-based authentication attempts: |
---|
"PubkeyAuthentication=no"
|
|
"PasswordAuthentication=no"
|
|
-o"HostbasedAuthentication=yes"
|
|
"HostbasedKeyTypes=ssh-rsa"
|
|
password,publickey,hostbased
|
|
SHA256:CYzKciuXNJBKSolgD6F/fQZOXDd6tObHz/d1x4E0OgA
|
|
password,publickey,hostbased
|
|
(password,publickey,hostbased).
|
|
Step 9 | To verify the connection to the local UDMG server, either configure your favorite SFTP client with the client key and the parameters that are defined on the server in Step 4 or follow the tutorial “Tutorial - Using Host-Based Authentication for an SFTP Partner” on how to setup a UDMG remote partner with host-based authentication and perform sample file transfer between the UDMG server and partner. |
---|
References: