Tutorial - Using Host-Based Authentication for an SFTP Partner

In this tutorial, you will:

Configure a remote SFTP partner to allow host-based authentication for certain accounts.
View the configuration in effect during a file transfer with a corresponding UDMG local SFTP server, see Tutorial - Using Host-Based Authentication for an SFTP Server.

To configure hostbased authentication for a SFTP partner, the following steps should be followed:

Add the partner SSH public key of the partner in the certificate list, as for any other SFTP partner configuration.
Add a private key for the UDMG SFTP client as a separate certificate.
Set up the protocol configuration parameters with:
- the list of remote accounts for which hostbased authentication will be enabled.
- the name of the partner certificate that will be used as the client's private key.

Regarding the fact that the partner will have multiple certificates of different type (public/private) configured, only the public keys will be used to validate the server's identity and only the private keys will be used to perform hostbased authentication.

Step 1	From the UDMG navigation pane, select Management > Partners. The Partner list displays.
Step 2	Click New. The Partner Details displays. Fill in the details for the sample server from Tutorial - Creating and Manually Starting an SFTP Server In the Partner Name field, enter stonebranch-sftp-01 In the Protocol field, select SFTP In the IP Address field, enter 0.0.0.0 In the Port field, enter 4000
Step 3	Click the Accounts tab on the Partner detail panel. Add the demo account. In the Name field, enter stonebranch-01. Leave the Password field, empty.
Step 4	Click the Certificate tab on the Partner detail panel and add the public key of the server. The server public key can be retrieved with ssh-keyscan tool: `$ ssh-keyscan -t rsa -p 4000 0.0.0.0` `# 0.0.0.0:4010 SSH-2.0-Go` `[0.0.0.0]:4010 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCnH0...` Click the Add Certificate button. In the Name field, enter ssh-rsa In the Public key field, paste the value of the server public key
Step 5	Add a new certificate record for the client host key. Generate a private SSH key, for example: `$ ssh-keygen -t rsa -b 4096 -C "stonebranch-cert-client-01" -m PEM -f "stonebranch-client-01.crt" -N ""` Click the Add Certificate button. In the Name field, enter ssh-rsa-hostbased-private In the Private key field, paste the value of the private key
Step 6	Click the Configuration tab on the Partner detail panel and switch on the Host-based authentication toggle.
Step 7	In the Private Key Certificate field, input the name of the certificate record with the client private key: ssh-rsa-hostbased-private In the Authorized Accounts field, choose the remote account from the list: stonebranch-01 For selected account(s), the connection will be attempted with the hostbased authentication method.
Step 8	Click Save and Confirm.
Step 9	Configure the rules at partner and/or account level. For example, stonebranch-sftp-01_partner_send Create the rule: Please note, because the remote partner is set to be local UDMG SFTP server, the Remote Directory is set to the virtual path of a receiving rule for the local server: Authorize the sending rule for the partner:
Step 10	Initiate a file transfer to upload a file. Use the Command Line Interface to register the transfer: `$ udmg-client transfer add -p stonebranch-sftp-01 -l stonebranch-01 -w send -r stonebranch-sftp-01_partner_send -f test-hb.txt`
Step 11	Follow the transfer request from the Activity Transfer and History dashboards. There are 2 records in this case, because UDMG is used both as the client and the server in the transaction: Sending the file to the Partner, identified by the rule stonebranch-sftp-01_partner_send and the flag isSend Receiving the file on the Server, identified by the rule stonebranch-sftp-01_receive and the flag isServer

References:

Universal Data Mover Gateway 1.3

Tutorial - Using Host-Based Authentication for an SFTP Partner

Related content