In this tutorial, you will:
- Configure a local SFTP server to only use certain algorithms.
- Check that the server is refusing to serve connections for other algorithms.
Step 1 | From the UDMG navigation pane, select Management > Servers. The Server list displays. |
---|---|
Step 2 | Select the stonebranch-sftp-01 server and note the address 0.0.0.0 and port 4000 on the Server details tab. |
Step 3 | With a specific tool or with the verbose mode of sftp client, check what are the algorithm that the local server is supporting for cipher, key exchange and MAC algorithms. For example, with a linux sftp (OpenSSH_7.4p1): $ sftp -vv -P 4000 stonebranch-01@0.0.0.0 2>&1 |grep -A 6 'peer server KEXINIT proposal' debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1 debug2: host key algorithms: ssh-rsa debug2: ciphers ctos: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr debug2: ciphers stoc: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96 debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96 This shows that several algorithms are supported for each category. |
Step 4 | On the UDMG Server panel, click on the Configuration tab. The gray dot on the tab shows that configuration is still the default, all available algorithms are supported by the server and proposed to the clients.
|
Step 5 | Click Save and Confirm. |
Step 6 | The server configuration is updated, The green dot on the tab shows that the configuration is customized. |
Step 7 | Restart the server with the restart button. |
Step 8 | Click on the MFT Server Status button to show the list of running services. The server stonebranch-sftp-01 should be listed with a green status. |
Step 9 | Check that the server does not allow connection with other algorithms, for example with encryption cipher $ sftp -c chacha20-poly1305@openssh.com -P 4000 stonebranch-01@0.0.0.0 Unable to negotiate with 127.0.0.1 port 4000: no matching cipher found. Their offer: aes128-gcm@openssh.com Couldn't read packet: Connection reset by peer |
Step 10 | Check that the server only offers the algorithms that were selected in the configuration tab: $ sftp -vv -c chacha20-poly1305@openssh.com -P 4000 stonebranch-01@0.0.0.0 2>&1 |grep -A 6 'peer server KEXINIT proposal' debug2: peer server KEXINIT proposal debug2: KEX algorithms: diffie-hellman-group1-sha1 debug2: host key algorithms: ssh-rsa debug2: ciphers ctos: aes128-gcm@openssh.com debug2: ciphers stoc: aes128-gcm@openssh.com debug2: MACs ctos: hmac-sha2-256-etm@openssh.com debug2: MACs stoc: hmac-sha2-256-etm@openssh.com |