Tutorial - Restrict the Encryption Algorithms for an SFTP Server

Owned by
Stonebranch
Last updated: Jun 03, 2024 by
Katie Murphy

In this tutorial, you will:

  • Configure a local SFTP server to only use certain algorithms.
  • Check that the server is refusing to serve connections for other algorithms.


Step 1

From the UDMG Admin UI navigation pane, select Local Servers. The Server list displays.

Step 2

Select the stonebranch-sftp-01 server and note the address 0.0.0.0 and port 4100 on the ServerDetails tab.

Step 3

With a specific tool or with the verbose mode of sftp client, check what algorithms the local server supports for cipher, key exchange, and MAC algorithms.

For example, with a linux sftp (OpenSSH_7.4p1): 

$ sftp -vv -P 4100 stonebranch-01@0.0.0.0  2>&1 |grep -A 6 'peer server KEXINIT proposal'
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96

This shows that several algorithms are supported for each category.

Step 4

On Server Details tab.

The gray dot on the tab shows that configuration is still the default, all available algorithms are supported by the server and proposed to the clients.

  • In the Key Exchange Algorithms, click the Pencil icon () and add diffie-hellman-group1-sha1 using the arrows. Click Save changes.

  • In the Encryption Algorithms, click the Pencil icon () and add aes128-gcm@openssh.com using the arrows. Click Save changes.

  • In the MAC Algorithms, click the Pencil icon () and add hmac-sha2-256-etm@openssh.com using the arrows. Click Save changes.

Step 5

Click Save icon ().

Step 6

The server configuration is updated, The green dot on the tab shows that the configuration is customized.

Step 7

Restart the server with the Restart icon ().
The local SFTP server is restarted with the new configuration and the restricted list of encryption algorithms.

Step 8

Click on the UDMG Server Status button to show the list of running services.

The server stonebranch-sftp-01 should be listed with a green status.

Step 9

Check that the server does not allow connection with other algorithms, for example with an encryption cipher chacha20-poly1305@openssh.com:

$ sftp  -c chacha20-poly1305@openssh.com -P 4100 stonebranch-01@0.0.0.0
Unable to negotiate with 127.0.0.1 port 4100: no matching cipher found. Their offer: aes128-gcm@openssh.com
Couldn't read packet: Connection reset by peer
Step 10

Check that the server only offers the algorithms that were selected in the configuration tab:

$ sftp -vv -c chacha20-poly1305@openssh.com -P 4100 stonebranch-01@0.0.0.0 2>&1 |grep -A 6 'peer server KEXINIT proposal'
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes128-gcm@openssh.com
debug2: ciphers stoc: aes128-gcm@openssh.com
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com