Versions Compared

Old Version 1

changes.mady.by.user Stonebranch

Saved on

compared with

New Version 2

changes.mady.by.user Stonebranch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Configure a local SFTP server to only use certain algorithms.
  • Check that the server is refusing to serve connections for other algorithms.


Step 1

From the UDMGUDMG navigation pane, select Management > Servers. The Server list displays.

Step 2

Select the stonebranch-sftp-01 server and note the address 0.0.0.0 and port 4000 on the Server details tab.

Step 3

With a specific tool or with the verbose mode of sftp client, check what are the algorithm that the local server is supporting for cipher, key exchange and MAC algorithms.

For example, with a linux sftp (OpenSSH_7.4p1): 

Code Block
$ sftp -vv -P 4000 stonebranch-01@0.0.0.0  2>&1 |grep -A 6 'peer server KEXINIT proposal'
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96

This shows that several algorithms are supported for each category.

Step 4

On the UDMG Server panel, click on the Configuration tab.

The gray dot on the tab shows that configuration is still the default, all available algorithms are supported by the server and proposed to the clients.

  • In the Key Exchange Algorithms dropdown list, pick diffie-hellman-group1-sha1.
  • In the Encryption Algorithms dropdown list, pick aes128-gcm@openssh.com.
  • In the MAC Algorithms dropdown list, pick hmac-sha2-256-etm@openssh.com.

Step 5

Click Save and Confirm.
Step 6

The server configuration is updated, The green dot on the tab shows that the configuration is customized.

Step 7

Restart the MFT Waarp Gateway linux service. The local SFTP server is restarted with the new configuration and the restricted list of encryption algorithms:

systemctl restart mft_waarp_gateway

Step 8

Login again to the UDMG User Interface.
Step 9

Click to MFT Server Status button to show the list of running services.

The server stonebranch-sftp-01 should be listed with a green status.

Step 10

Check that the server does not allow connection with other algorithms, for example with encryption cipher chacha20-poly1305@openssh.com:

Code Block
$ sftp  -c chacha20-poly1305@openssh.com -P 4000 stonebranch-01@0.0.0.0
Unable to negotiate with 127.0.0.1 port 4000: no matching cipher found. Their offer: aes128-gcm@openssh.com
Couldn't read packet: Connection reset by peer


Step 11

Check that the server only offers the algorithms that were selected in the configuration tab:

Code Block
$ sftp -vv -c chacha20-poly1305@openssh.com -P 4000 stonebranch-01@0.0.0.0 2>&1 |grep -A 6 'peer server KEXINIT proposal'
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes128-gcm@openssh.com
debug2: ciphers stoc: aes128-gcm@openssh.com
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com


...