Security Level Configuration
There are three security levels: PARANOID, STRONG, and WEAK. Our system defaults to STRONG.
The security level is configured with the sftp.security-level
property set to one of the
three options.
The next sections will show which algorithms are available for Key Exchange, HMAC, and Encryption.
HMAC Support
HMAC implementation is provided by Bouncy Castle. The following is a list of HMAC algorithms supported by SFTP Gateway. The STRONG security level supports the PARANOID algorithms, and the WEAK security level supports both STRONG and PARANOID algorithms.
The following is a list of supported HMAC algorithms from the PARANOID security level down to the WEAK security level:
hmac-sha2-512
hmac-sha2-512-96
hmac-sha2-512-etm@openssh.com
-- PARANOID SUPPORTS ABOVE --
hmac-sha2-256
hmac-sha2-256-96
hmac-sha256@ssh.com
hmac-sha2-256-etm@openssh.com
-- STRONG SUPPORTS ABOVE --
hmac-sha1-etm@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96
hmac-sha1
-- WEAK SUPPORTS ABOVE --
Key Exchange Support
The following is a list of supported Key Exchange algorithms from the PARANOID security level down to the WEAK security level:
diffie-hellman-group18-sha512
diffie-hellman-group17-sha512
diffie-hellman-group16-sha512
diffie-hellman-group15-sha512
curve25519-sha256@libssh.org
curve25519-sha256
-- PARANOID SUPPORTS ABOVE --
diffie-hellman-group-exchange-sha256
diffie-hellman-group14-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
rsa2048-sha256
-- STRONG SUPPORTS ABOVE --
diffie-hellman-group14-sha1
-- WEAK SUPPORTS ABOVE --
Host Key Support
Host keys, whether they are generated or provided, must meet at least the configured security level, else they will not be included.
Here is a list of Public Key algorithms from the PARANOID security level down to the WEAK security level:
ssh-ed25519
-- PARANOID SUPPORTS ABOVE --
rsa-sha2-256
rsa-sha2-512
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
-- STRONG SUPPORTS ABOVE --
ssh-rsa
-- WEAK SUPPORTS ABOVE --
The following host keys are generated in the working directory, the
private key has no extension, while the public key has .pub
:
- ssh_host_ecdsa_256
- ssh_host_ecdsa_256.pub
- ssh_host_ecdsa_384
- ssh_host_ecdsa_384.pub
- ssh_host_ecdsa_521
- ssh_host_ecdsa_521.pub
- ssh_host_ed25519
- ssh_host_rsa
- ssh_host_rsa.pub
If you'd like to use your own host keys, replace the private and public key of the appropriate algorithm with the same names as the generated keys. The key file should be formatted with the SECSH format similar to the following example:
* ---- BEGIN SSH2 PUBLIC KEY ----
* Comment: "This is a comment"
* AAAAB3NzaC1yc2EAAAADAQABAAAAgQC9mPcvyCnWpuvN7u4cjwUkBbTqgYm5kR92XNbo7/ElAJY+
* 7HwoTtiUsQ6Q2Ma6hUg29LlDifpX5Ujwwm5PRK+7dXWL5bbznNGxJXY5P1E/5cr/+cJueaqZuA90
* 2x6oFweQZPK4en+nJyXFwYY/Pbf86F3EJFD3lh9RWSN7r2RbRw==
* ---- END SSH2 PUBLIC KEY ----
Encryption Cipher Support
The following is a list of supported Encryption cipher algorithms from the PARANOID security level down to the WEAK security level:
aes256-gcm@openssh.com
aes128-gcm@openssh.com
chacha20-poly1305@openssh.com
-- PARANOID SUPPORTS ABOVE --
aes256-ctr
aes192-ctr
aes128-ctr
aes256-ctr
aes192-ctr
aes128-ctr
-- STRONG SUPPORTS ABOVE --
3des-ctr
-- WEAK SUPPORTS ABOVE --
Setting the security level
To change the security level, edit the file:
/opt/sftpgw/application.properties
And set the security-level property, using the following syntax (pick one):
sftp.security-level=PARANOID
sftp.security-level=STRONG
sftp.security-level=WEAK
To apply your change, restart the Java service:
sudo su
service sftpgw-admin-api restart