In this tutorial, you will:
- Allow the configuration of SFTP servers and partners with the legacy SFTP algorithms.
- Configure an SFTP partner to explicitly enable the use of a legacy cipher algorithm.
Step 1 | Edit the UDMG Server configuration file and set the AllowLegacyCiphers parameter to true: [sftp] |
---|---|
Step 2 | Restart the UDMG Server service. The legacy ciphers are now globally allowed but not used by default. |
Step 3 | Login to UDMG Admin UI and navigate to Remote Partners Service via the navigation pane. |
Step 4 | Select the partner rebex from Tutorial - Creating an SFTP Partner. |
Step 5 | With a specific tool or with the verbose mode of your console SFTP client, check what are the algorithms that the remote partner is supporting for cipher algorithms. For example, with a Linux SFP (OpenSSH_7.4p1): $ sftp -vv -c aes128-cbc -o NumberOfPasswordPrompts=0 dummY@test.rebex.net 2>&1 |grep -A 6 'server KEXINIT proposal' |grep -v stoc debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-s debug2: host key algorithms: ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,ssh-rsa-sha256@ssh.com,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305@openssh.com,twofish256-ctr,twofish192-ctr,twofish128-ctr debug2: MACs ctos: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-96 This shows that several algorithms are supported for each category and especially the legacy cipher 'aes128-cbc'. |
Step 6 | From Remote Partner Details, select the Partner tab. The gray dot on the tab shows that configuration is still the default, all available algorithms are supported by the server and proposed to the clients.
|
Step 7 | Click Save icon (). |
Step 8 | The partner configuration is updated. The green dot on the tab shows that the configuration is customized. |
Step 9 | Perform a file download, for instance here with the command line client. $ udmg-client transfer add -f readme.txt -w receive -p rebex -l demo -r rebex_receive_example The transfer of file readme.txt was successfully added with ID 187. $ udmg-client transfer get 187 ● Transfer 187 (receive as client) [DONE] Remote ID: 1631341630940250112 Protocol: sftp Rule: rebex_receive_example Requester: demo Requested: rebex Local filepath: /data/in/readme.txt Remote filepath: /readme.txt File size: 405 Start date: 2023-03-02 17:12:08.335589 +0000 UTC End date: 2023-03-02 17:12:15.336517 +0000 UTC Bytes transferred: 405 Transfer values: - udmg_sftp_client_version: SSH-2.0-Go - udmg_sftp_config_ciphers: [aes128-cbc] - udmg_sftp_config_kex: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group-exchange-sha256 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1] - udmg_sftp_config_mac: [hmac-sha1 hmac-sha1-96 hmac-sha2-256] - udmg_sftp_failed_auth_methods: [none] - udmg_sftp_hostkey_algo: ssh-rsa - udmg_sftp_kex_algo: curve25519-sha256@libssh.org - udmg_sftp_read_algos: map[cipher:aes128-cbc compression:none mac:hmac-sha1] - udmg_sftp_server_version: SSH-2.0-RebexSSH_5.0.8208.0 - udmg_sftp_sucessful_auth_methods: password - udmg_sftp_write_algos: map[cipher:aes128-cbc compression:none mac:hmac-sha1] - udmg_xfer_log: /config/logs/187.log [ec2-user@ip-172-31-2-90 ~]$ waarp-gateway transfer get 187|grep cipher - udmg_sftp_config_ciphers: [aes128-cbc] - udmg_sftp_read_algos: map[cipher:aes128-cbc compression:none mac:hmac-sha1] - udmg_sftp_write_algos: map[cipher:aes128-cbc compression:none mac:hmac-sha1] By checking the result after the completion with the get command, the transfer info metadata shows which encryption algorithm was configured on the client side (udmg_sftp_config_ciphers) and which algorithms were negotiated with the server (udmg_sftp_read_algos and udmg_sftp_write_algos. This confirms that the legacy cipher was used. This is also displayed in the Transfers Dashboard: |