Versions Compared

Old Version 2

changes.mady.by.user Olivier Michaut

Saved on

compared with

New Version 3

changes.mady.by.user Olivier Michaut

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...


To configure hostbased authentication for a an SFTP partner, the following steps should be followed:

  1. Add the partner SSH public host key of the partner in the certificate list, as for any other SFTP partner configuration.

  2. Add a private key for the UDMG SFTP client as a separate certificate record. It can then be selected to be used for host-based authentication configuration.

  3. Set up the protocol configuration parameters with:

    • the list of remote accounts for which hostbased authentication will be enabled.the name of the partner certificate record from the previous step that will be used as the client's private key.

    • the list of remote accounts for which host-based authentication will be enabled.

Regarding the fact that the partner will have multiple certificates of different type (public/private) configured, only the public keys will can only be used to validate the remote server's identity and only the private keys will can only be used to perform hostbased host-based authentication.

Step 1

From the UDMG navigation pane, select Management > Partners. The Partner list displays.

Step 2

Click New. The Partner Details displays.

Fill in the details for the sample server from Tutorial - Creating and Manually Starting an SFTP Server

  • In the Partner Name field, enter stonebranch-sftp-01

  • In the Protocol field, select SFTP

  • In the IP Address field, enter 0.0.0.0

  • In the Port field, enter 4000

  • In the Member of Business Service, select one of the available Business Services. More business Services can be added after the rule is created. 

Step 3

Click the Accounts tab on the Partner detail panel. Add the demo account.

  • In the Name field, enter stonebranch-01.

  • Leave the Password field, empty.

Step 4

Click the Certificate tab on the Partner detail panel and add the public host key of the server.

The server public key can be retrieved with ssh-keyscan tool:

Panel

$ ssh-keyscan -t rsa -p 4000 0.0.0.0
# 0.0.0.0:4010 SSH-2.0-Go
[0.0.0.0]:4010 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCnH0...

Click the Add Certificate button.

  • In the Name field, enter ssh-rsa

  • In the Public key field, paste the value of the server public key

The public key can also be fetched and stored automatically with the Fetch host key button:

Step 5

Add a new certificate record for the client host key, this is needed for the Host-Based Authentication.

Generate a private SSH key, for example:

Panel

$ ssh-keygen -t rsa -b 4096 -C "stonebranch-cert-client-01" -m PEM -f "stonebranch-client-01.crt" -N ""

Note that the generated public key (stonebranch-client-01.crt.pub) is needed for the setup on the server side.


Click the Add Certificate button.

  • In the Name field, enter ssh-rsa-hostbased-private

  • In the Private key field, paste the value of the private key from stonebranch-client-01.crt

  • Click Save

Step 6

Click the Configuration tab on the Partner detail panel and switch on the Host-based authentication toggle.

The Private Key Certificate and Authorized Accounts fields appear.

Step 7

  • In the Private Key Certificate field, input the name of the certificate record with the client private key: ssh-rsa-hostbased-private

  • In the Authorized Accounts field, choose the remote account from the list: stonebranch-01

For selected account(s), the connection will be attempted with the host-based authentication method.

Step 8

Click Save and Confirm.

Step 9Be sure to have completed the local SFTP server configuration with the public key that was generated above. See Tutorial - Using Host-Based Authentication for an SFTP Server.

Step 10

Configure the rules at partner and/or account level.

For example, stonebranch-sftp-01_partner_send

Create the rule:

Please note , that because the remote partner is set in this tutorial to be a local UDMG SFTP server, the Remote Directory is set to the virtual path (sft-01-in) of a receiving rule for the local server:

Authorize the sending rule for the partner:


Step 1011

Initiate a file transfer to upload a file.

Use the Command Line Interface to register the transfer:

Panel

$ udmg-client transfer add -p stonebranch-sftp-01 -l stonebranch-01 -w send -r stonebranch-sftp-01_partner_send -f test-hb.txt


Step 1112

Follow the transfer request from the Activity Transfer and History dashboards.

There are 2 records in this case, because UDMG is used both as the client and the server in the transaction:

  • Sending the file to the Partner, identified by the rule stonebranch-sftp-01_partner_send and the flag isSend

  • Receiving the file on the Server, identified by the rule stonebranch-sftp-01_receive and the flag isServer


...