Versions Compared

Old Version 3

changes.mady.by.user Stonebranch

Saved on

compared with

New Version 4

changes.mady.by.user Katie Murphy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...


Note
titleNote

Due to the nature of the UDMG as a an MFT solution, the handling of the host-based authentication for SFTP is limited to having the same account name on the server (local account) and client-side (remote user). It is assumed that a an SFTP client acting as User1 on the client node will attempt to login to the same User1 account on the SFTP server.


To configure hostbased host-based authentication for an SFTP partner, the following steps should be followed:

  1. Add the SSH public host key of the partner in to the certificate list, as for any other SFTP partner configuration.

  2. Add a private key for the UDMG SFTP client as a separate certificate record. It can then be selected to be used for host-based authentication configuration.

  3. Set up the protocol configuration parameters with:

    • the name of the certificate record from the previous step that will be is used as the client's private key.

    • the list of remote accounts for which host-based authentication will be is enabled.

Regarding the fact that the partner will have multiple certificates of different type types (public/private) configured, the public keys can only be used to validate the remote server's identity, and the private keys can only be used to perform host-based authentication.

Step 1

From the UDMG Admin UI navigation pane, select Management > Remote Partners. The Remote Partner list displays.

Step 2

Click New Add icon (Image Added). The Remote Partner Details displays.

Fill in the details for the sample server from Tutorial - Creating and Manually Starting an SFTP Server

  • In the Partner Name field, enter stonebranch-sftp-01-client.

  • In the Protocol field, select SFTP.

  • In the IP Address field, enter 0.0.0.0.

  • In the Port field, enter 4100.

  • In the Member of Business Service, select one of the available Business Services. More business Services can be added after the rule is created. 

Image RemovedImage Added


Step 3

Click the Accounts tab on the Remote Partner detail panel. Add a new account.

  • In the Name field, enter stonebranch-01-client-user.

  • Leave the Password field, empty.

  • Click Submit button. 

Image Added

Step 4

Click the Certificate Certificates/Keys tab on the Remote Partner detail panel and add the public host key of the server.

Image Added

The server public key can be retrieved with ssh-keyscan tool:

Panel

$ ssh-keyscan -t rsa -p 4100 0.0.0.0
# 0.0.0.0:4010 SSH-2.0-Go
[0.0.0.0]:4010 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCnH0...

Click the Add Certificate button icon (Image Added).

  • In the Name field, enter ssh-rsa.

  • In the Public key field, paste the value of the server public key.

  • Click the Submit button.

The public key can also be fetched and stored automatically with the Fetch host key button:

Image RemovedImage Added

Step 5

Add a new certificate record for the client host key, this is needed for the Host-Based Authentication.

Generate a private SSH key, for example:

Panel

$ ssh-keygen -t rsa -b 4096 -C "stonebranch-cert-client-01" -m PEM -f "stonebranch-client-01.crt" -N ""

Note that the generated public key (stonebranch-client-01.crt.pub) is needed for the setup on the server side.


Click the Add Certificate button icon (Image Added).

  • In the Name field, enter ssh-rsa-hostbased-private

  • In the Private key field, paste the value of the private key from stonebranch-client-01.crt

  • Click the Submit button.


Click Save icon (Image Added).

  • The list shows both the public host key (with the globe icon) and the private key (with the key icon).

Step 6

In the Configuration section tab of the Remote Partner details Details, switch on the Host-based authentication toggle.

The Private Key Certificate field and Authorized Accounts button appear.

Image RemovedImage Added

Step 7

  • In the Private Key Certificate field, input the name of the certificate record with the client private key: ssh-rsa-hostbased-private.

  • In the Authorized Accounts field, choose the remote account from the list: stonebranch-01-client-user.

For selected account(s), the connection will be attempted with the host-based authentication method.

Step 8

Click Save and Confirmicon (Image Added).

Step 9Be sure to have completed the local SFTP server configuration with the public key that was generated above. See Tutorial - Using Host-Based Authentication for an SFTP Server.

Step 10

Configure the rules at partner and/or account level.

For example, stonebranch-sftp-01_partner_send

Go the Rules Service via the UDMG Admin UI navigation pane. 

Create the rule:

Image RemovedImage Added

Please note that because the remote partner is set in this tutorial to be a local UDMG SFTP server, the Remote Directory is set to the virtual path (sft-01-in) of a receiving rule for the local server:

Image RemovedImage Added

Authorize the sending rule in the Rules tab of the Remote Partner details Details.

Step 11

Initiate a file transfer to upload a file.

Use the Command Line Interface to register the transfer:

Panel

$ udmg-client transfer add -p stonebranch-sftp-01-client -l stonebranch-01-client-user -w send -r stonebranch-sftp-01_partner_send -f test-hb.txt


Step 12

Follow the transfer request from the Activity Transfer and History dashboards.

There are 2 records in this case, because UDMG is used both as the client and the server in the transaction:

  • Sending the file to the Partner, identified by the rule stonebranch-sftp-01_partner_send and the flag isSend.

  • Receiving the file on the Server, identified by the rule stonebranch-sftp-01_receive and the flag isServer.


References: