Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

In this tutorial, you will:

  • Configure a local SFTP server to allow host-based authentication for certain accounts.

  • Check that the server is refusing to serve connections for invalid combination of account and keys.

  • The client connection is performed by UDMG client partner as explained in the Tutorial - Using Host-Based Authentication for an SFTP Partner


To configure host-based authentication for an SFTP server, several configuration parameters are set to mimic the behaviour of the known_hosts and .shosts files in a traditional SSH environment, where the public keys and the authorized users for a given client host are configured.

Step 1

From the UDMG navigation pane, select Management > Servers. The Server list displays.

Step 2

Select the stonebranch-sftp-01 server and note the address 0.0.0.0 and port 4000 on the Server details tab.

Step 3

Select the Configuration tab and click on the add button (with the plus sign) next to the Host-based authentication label. A Client Details window appears:

Step 4

  • In Host Name field, input a comma separated list of the hostnames or IP addresses that are allowed to authenticate using this public key.
    Note: hostnames are matched without considering the port, so there is no need to specify the incoming port (e.g.: hostA.example.com should be used instead of [hostA.example.com]:2222 for a server running on port 2222).
    For the tutorial, type 0.0.0.0

  • In Key Algorithm field, the algorithm used to generate the public key: ssh-rsa

  • In Public Key field, paste the client public key: from the file stonebranch-client-01.crt.pub, only the key value without the comment and the algorithm label

  • In Account field, select a server local account for which the host-based authentication will be enabled for connection from this client: stonebranch-01

  • In the Remote Users field, input a list of remote users which are allowed to connect to this local account: stonebranch-01

  • Additional mappings of local accounts and remote users can be added with the ‘plus’ button.


Step 5

Click Confirm to close the Client Details window

Step 6

Click Save and Confirm to store the updated server configuration


Step 7

Restart the MFT Waarp Gateway service.

For exmple on Linux:

systemctl restart mft_waarp_gateway

The local SFTP server is restarted with the new configuration and the restricted list of encryption algorithms.

Step 8

Verify that the server accepts host-based authentication attempts:

$ sftp -v \
  -o "PubkeyAuthentication=no" -o "PasswordAuthentication=no" \
  -o"HostbasedAuthentication=yes" -o "HostbasedKeyTypes=ssh-rsa" \
  -P 4000 stonebranch-01@0.0.0.0 2>&1 |grep hostbased
debug1: Authentications that can continue: password,publickey,hostbased
debug1: Next authentication method: hostbased
debug1: userauth_hostbased: trying hostkey ssh-rsa SHA256:CYzKciuXNJBKSolgD6F/fQZOXDd6tObHz/d1x4E0OgA
debug1: Authentications that can continue: password,publickey,hostbased
debug1: No more client hostkeys for hostbased authentication.
Permission denied (password,publickey,hostbased).

Step 9

To verify the connection to the local UDMG server, either configure your favorite SFTP client with the client key and the parameters that are defined on the server in Step 4

or follow the tutorial “Tutorial - Using Host-Based Authentication for an SFTP Partner” on how to setup a UDMG remote partner with host-based authentication and perform sample file transfer between the UDMG server and partner.

References:

  • No labels