Tutorial - Creating an SFTP Partner

In this tutorial, you will:

  • Create a remote partner for SFTP.
  • Configure the partner host key.
  • View partner detail.
  • Specify account and rule for downloading files.

For this tutorial, the remote server is a public read-only SFTP server that is provided for general testing.

See the details here:  https://test.rebex.net


By default, the following algorithms are enabled.

CategoryAlgorithms by order of preference, most preferred at the top
Key Exchange (KEX)
  • curve25519-sha256@libssh.org
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group1-sha1 (deprecated)
  • diffie-hellman-group14-sha1 (deprecated)
Encryption (cipher)
  • aes128-gcm@openssh.com
  • chacha20-poly1305@openssh.com
  • aes128-ctr
  • aes192-ctr
  • aes256-ctr

The following ones can be enabled globally with the configuration parameter 'AllowLegacyCiphers', but still need to be enabled explicitly per server, see Tutorial - Use a Legacy Encryption Algorithm for an SFTP Partner

  • arcfour256
  • arcfour128
  • aes128-cbc
  • 3des-cbc
  • blowfish-cbc
MAC
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha2-256
  • hmac-sha1 (deprecated)
  • hmac-sha1-96 (deprecated)
Host key
  • ecdsa-sha2-nistp256
  • ecdsa-sha2-nistp384
  • ecdsa-sha2-nistp521
  • rsa-sha2-512
  • rsa-sha2-256
  • ssh-rsa
  • ssh-dss
  • ssh-ed25519

Step 1

From the UDMG navigation pane, select Management > Partners. The Partners list displays.

Step 2

Click New. The Server Details displays.

  • In the Server Name field, enter rebex
  • In the Protocol field, select SFTP
  • In the IP Address field, enter test.rebex.net
  • In the Port field, enter 22
  • In the Member of Business Service, select one of the available Business Services. More business Services can be added after the partner is created. 

Step 3

Click Save and Confirm.

Step 4

Additional details can be attached to the partner. 

  • Description
  • Primary Contact Name
  • Primary Contact Phone
  • Primary Contact Email
  • Secondary Contact Name
  • Secondary Contact Phone
  • Secondary Contact Email
  • Customized fields

Go to the Details tab on the local server pane.

Fill in the needed details.

New fields can be added with the 'plus' button at the bottom of the form. A custom field is comprised of a key and value pair.

Press the Save button inside the tab to store the details.

Step 5

Click the Accounts tab on the Partner detail panel. The list of account records displays and is empty.

Step 6

Click the Add Account button. The Account Details displays

  • In the Name field, enter demo.
  • In the Password field, enter password.
Step 7

Click the Save button.

The account is created and shows in the account list.

Step 8

To verify that the targeted host is the correct one, SFTP protocol uses server host key(s).

To continue with the partner configuration, at least one of the public SSH keys of the the remote server must be stored.

The public keys

  • can be provided by the business partner itself,
  • or can be added by UDMG with adhoc retrieval,
  • or can be retrieved with external tools.

For example, here is how to get the RSA key with the ssh-keyscan utility:

$ ssh-keyscan -t rsa test.rebex.net > rebex.ssh-rsa
# test.rebex.net:22 SSH-2.0-RebexSSH_5.0.8062.0
$ cat rebex.ssh-rsa
test.rebex.net ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAkRM6RxDdi3uAGogR3nsQMpmt43X4WnwgMzs8VkwUCqikewxqk4U7EyUSOUeT3CoUNOtywrkNbH83e6/yQgzc3M8i/eDzYtXaNGcKyLfy3Ci6XOwiLLOx1z2AGvvTXln1RXtve+Tn1RTr1BhXVh2cUYbiuVtTWqbEgErT20n4GWD4wv7FhkDbLXNi8DX07F9v7+jH67i0kyGm+E3rE+SaCMRo3zXE6VO+ijcm9HdVxfltQwOYLfuPXM2t5aUSfa96KJcA0I4RCMzA/8Dl9hXGfbWdbD2hK1ZQ1pLvvpNPPyKKjPZcMpOznprbg+jIlsZMWIHt7mq2OJXSdruhRrGzZw==
Step 9

Click the Certificates / Keys tab on the Partner detail panel. The list of certificate records displays and is empty.

Step 10

To manually add a key that was given by the partner or retrieved with a tool, click the Add Certificate button. The Certificate Details displays.

  • In the Name field, enter ssh-rsa
  • In the Public Key field, copy the key that was determined in the previous step.

Step 11

Click Save

Step 12

The certificate record appears in the list.

Step 13

UDMG also provides the ability to fetch and store the remote server host keys during the partner configuration.

Click the Show Host Keys button.

The Host Keys displays with the list of SSH public keys that were scanned from the remote server.

Step 14

Each key can be copied for manual insertion.

Click the Close button to dismiss the window.

Step 15

To automatically store all the retrieved host keys, click the Fetch Host Keys button. The confirmation window displays.

Click Confirm to save the keys.

Step 16

The records are stored with unique names as "date_partner_type" where 

  • date is the current time in YYYYMMDD
  • partner is the value from the IP Address field
  • type is the SSH key type or algorithm

For example: 20230516113741_test.rebex.net_ecdsa-sha2-nistp256

Step 17

To disable a key without deleting it, click the Revoke button (the stop icon).

Here, the sha2-nistp keys are disabled:

A revoked key can be enabled again with the Authorize button .

Step 18

To see more details about a specific host key, click the View button (the eye icon).

The Certificate Details displays, showing the following:

  • algorithm
  • bits: size of the key, only for RSA
  • comment, if any is stored in the Public Key field
  • the MD5 fingerprint
  • the SHA256 fingerprint
  • a clean authorized keyline, without any comment or host specification


Step 19

The Rule tab allows to configure the transfer rules that define the local and remote paths.

To download from the "pub/example" directory, a Receive rule is needed to specify the remote directory.

From the UDMG navigation pane, select Management > Rules. The Rules list displays.

Step 20

Click New. The Rule Details displays.

  • In the Rule Name field, enter rebex_receive_example
  • In the Direction field, select Receive
  • In the Description field, enter any value or leave it empty
  • In the Virtual Path Directory field, enter rebex_receive_example
  • In the Local Directory field, leave it empty (it will use the default directory)
  • In the Remote Directory field, enter pub/example
  • In the Temp Directory field, leave it empty (it will use the default directory)
  • In the Member of Business Service, select one of the available Business Services. More business Services can be added after the rule is created. 

Step 21

Click the Save button.

Step 22

The rule is created and appears on the Rules list

Step 23

From the UDMG navigation pane, select Management > Partners. The Partner list displays.

Select the rebex partner and click on the Rules tab. The green dot on the tab shows that a rule is now assigned to this server.

By default, a rule is implicitly assigned to all partners unless there is an explicit whitelist assignment. This is shown by the globe icon and means the same rule is also assigned to any other partners, for example to 'wftpserver' here:

Step 24

To restrict the use of this rule and this virtual path to only the rebex partner, you have to assign the rule to that partner.

Select the  rebex partner and click on the Rules tab

Step 25
  • Click Edit on the Reception Rules header to display an Edit Rules pop-up that allows you to assign the Reception Rules to the Local Server.

To assign a Rule to a Remote Partner, move the Rule from the Rules window to the Authorized Rules window:

  1. To move a single entry, click it once and then click the > arrow.
  2. To move multiple entries, Ctrl-click them and then click the > arrow.
  3. To move all entries, click the >| arrow.

To unassign the Rule to a Remote Partner, move the Rule from the Authorized Rules window to the Rules window:

  1. To move a single entry, click it once and then click the < arrow.
  2. To move multiple entries, Ctrl-click them and then click the < arrow.
  3. To move all entries, click the |< arrow.
  • Assign the rule rebex_receive_example.
Step 26

The rule is now whitelisted for this server and does not appear anymore for the other servers:

Step 27

Initiate a file transfer to download the file pocketftp.png

Use the Command Line Interface to register the transfer:

$ udmg-client transfer add -p rebex -l demo  -w receive -r rebex_receive_example -f pocketftp.png
The transfer of file pocketftp.png was successfully added.
Step  28

From the UDMG navigation pane, select Activity> History. The Transfer History list displays.

The download is completed successfully and the file is received in the default input directory 'in' under the MFT server home directory, configured here as '/atest/work'