Tutorial - Restrict the Encryption Algorithms for an SFTP Server
In this tutorial, you will:
- Configure a local SFTP server to only use certain algorithms.
- Check that the server is refusing to serve connections for other algorithms.
Step 1 | From the UDMG Admin UI navigation pane, select Local Servers. The Server list displays. |
---|---|
Step 2 | Select the stonebranch-sftp-01 server and note the address 0.0.0.0 and port 4100 on the ServerDetails tab. |
Step 3 | With a specific tool or with the verbose mode of sftp client, check what algorithms the local server supports for cipher, key exchange, and MAC algorithms. For example, with a linux sftp (OpenSSH_7.4p1): $ sftp -vv -P 4100 stonebranch-01@0.0.0.0 2>&1 |grep -A 6 'peer server KEXINIT proposal' debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1 debug2: host key algorithms: ssh-rsa debug2: ciphers ctos: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr debug2: ciphers stoc: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96 debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96 This shows that several algorithms are supported for each category. |
Step 4 | On Server Details tab. The gray dot on the tab shows that configuration is still the default, all available algorithms are supported by the server and proposed to the clients.
|
Step 5 | Click Save icon ( ). |
Step 6 | The server configuration is updated, The green dot on the tab shows that the configuration is customized. |
Step 7 | Restart the server with the Restart icon ( |
Step 8 | Click on the UDMG Server Status button to show the list of running services. The server stonebranch-sftp-01 should be listed with a green status. |
Step 9 | Check that the server does not allow connection with other algorithms, for example with an encryption cipher $ sftp -c chacha20-poly1305@openssh.com -P 4100 stonebranch-01@0.0.0.0 Unable to negotiate with 127.0.0.1 port 4100: no matching cipher found. Their offer: aes128-gcm@openssh.com Couldn't read packet: Connection reset by peer |
Step 10 | Check that the server only offers the algorithms that were selected in the configuration tab: $ sftp -vv -c chacha20-poly1305@openssh.com -P 4100 stonebranch-01@0.0.0.0 2>&1 |grep -A 6 'peer server KEXINIT proposal' debug2: peer server KEXINIT proposal debug2: KEX algorithms: diffie-hellman-group1-sha1 debug2: host key algorithms: ssh-rsa debug2: ciphers ctos: aes128-gcm@openssh.com debug2: ciphers stoc: aes128-gcm@openssh.com debug2: MACs ctos: hmac-sha2-256-etm@openssh.com debug2: MACs stoc: hmac-sha2-256-etm@openssh.com |