Versions Compared

Old Version 3

changes.mady.by.user Katie Murphy

Saved on

compared with

New Version Current

changes.mady.by.user Katie Murphy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Step 1

From the UDMG Admin UI navigation pane, select Local Servers. The Server list displays.

Step 2

Select the stonebranch-sftp-01 server and note the address 0.0.0.0 and port 4000 4100 on the ServerDetails tab.

Image Added

Step 3

With a specific tool or with the verbose mode of sftp client, check what are algorithms the algorithm that the local server is supporting supports for cipher, key exchange, and MAC algorithms.

For example, with a linux sftp (OpenSSH_7.4p1): 

Code Block
$ sftp -vv -P 40004100 stonebranch-01@0.0.0.0  2>&1 |grep -A 6 'peer server KEXINIT proposal'
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96

This shows that several algorithms are supported for each category.

Step 4

On

the UDMG Server panel, click on the Configuration

Server Details tab.

The gray dot on the tab shows that configuration is still the default, all available algorithms are supported by the server and proposed to the clients.

  • In the Key Exchange Algorithms
dropdown list, pick 
  • , click the Pencil icon (Image Added) and add diffie-hellman-group1-sha1 using the arrows. Click Save changes.

Image Added

  • In the Encryption Algorithms
dropdown list, pick 
  • , click the Pencil icon (Image Added) and add aes128-gcm@openssh.com using the arrows. Click Save changes.

Image Added

  • In the MAC Algorithms
dropdown list, pick 
  • , click the Pencil icon (Image Added) and add hmac-sha2-256-etm@openssh.com using the arrows. Click Save changes.

Image Added

Step 5

Click Save

and Confirm

 icon (Image Added).

Step 6

The server configuration is updated, The green dot on the tab shows that the configuration is customized.

Image RemovedImage Added

Step 7

Restart the server with the

restart button

Restart icon (Image Added).
The local SFTP server is restarted with the new configuration and the restricted list of encryption algorithms.

Step 8

Click on the MFT UDMG Server Status button to show the list of running services.

The server stonebranch-sftp-01 should be listed with a green status.

Image Added

Step 9

Check that the server does not allow connection with other algorithms, for example with an encryption cipher chacha20-poly1305@openssh.com:

Code Block
$ sftp  -c chacha20-poly1305@openssh.com -P 40004100 stonebranch-01@0.0.0.0
Unable to negotiate with 127.0.0.1 port 40004100: no matching cipher found. Their offer: aes128-gcm@openssh.com
Couldn't read packet: Connection reset by peer


Step 10

Check that the server only offers the algorithms that were selected in the configuration tab:

Code Block
$ sftp -vv -c chacha20-poly1305@openssh.com -P 40004100 stonebranch-01@0.0.0.0 2>&1 |grep -A 6 'peer server KEXINIT proposal'
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes128-gcm@openssh.com
debug2: ciphers stoc: aes128-gcm@openssh.com
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com


...