SFTP Gateway Support

3.0

Migrating Host Keys From v2 to v3

Overview

When migrating between versions of SFTP Gateway, you might consider a cut-over where SFTP users continue to connect to the same DNS hostname.

When doing so, you need to make sure the server host keys on the new server match the old. Otherwise, SFTP users will encounter a security warning stating the server host keys have changed.

Newer versions of SFTP Gateway v3 include the server host keys in the backup and restore process. When migrating from SFTP Gateway v2 to v3, the Python backup script also exports the server host keys.

But in some production environments, it is critical that the server host keys on v3 match those on v2. This article covers the manual process of making sure the server host keys on v2 make it to v3.

Back up the server host keys on v2

For v2, the server host keys are in this location:

/etc/ssh/

To back up your keys, run these commands:

sudo su
cd /etc/ssh/
mkdir backup-keys
cp -a ssh_host* backup-keys/
tar czvpf backup-keys.tar.gz backup-keys

These commands do the following:

  • Creates a folder called backup-keys/
  • Copies all the public and private keys into this folder
  • Bundles this folder into a single file

You should end up with a file:

/etc/ssh/backup-keys.tar.gz

Move this to your home directory:

mv backup-keys.tar.gz /home/ec2-user/

Then, you can use your SFTP client to pull the backup-keys.tar.gz file off the 2.0 server, and onto your workstation.

Move the server host keys to v3

On the 3.0 server, use an SFTP client to upload the backup-keys.tar.gz file to your home directory:

/home/ec2-user/backup-keys.tar.gz

SSH into the server, and elevate your permissions with this command:

sudo su

Then run these commands:

mv backup-keys.tar.gz /opt/sftpgw/
cd /opt/sftpgw/
mkdir backup-v3
cp -a ssh_host* backup-v3/
tar xzvpf backup-keys.tar.gz
cp -a backup-keys/* .

There's a lot happening, so here's what's going on:

  • The server host keys on v3 are located in /opt/sftpgw/
  • First back up the original v3 keys
  • Then, extract the v2 keys

Rename the v2 server host keys

The v2 key names have a suffix of _key, which you will need to change for v3.

mv ssh_host_ed25519_key ssh_host_ed25519
mv ssh_host_ed25519_key.pub ssh_host_ed25519.pub
mv ssh_host_rsa_key ssh_host_rsa
mv ssh_host_rsa_key.pub ssh_host_rsa.pub

The ecdsa key on v3 expects the size as part of the key name, so you need to rename the v2 key appropriately:

mv ssh_host_ecdsa_key ssh_host_ecdsa_256
mv ssh_host_ecdsa_key.pub ssh_host_ecdsa_256.pub

Finally, change the ownership of the server host keys so that they are owned by the sftpgw Linux user. This is important for the next section.

chown sftpgw:sftpgw ssh_host_ecdsa_256
chown sftpgw:sftpgw ssh_host_ecdsa_256.pub
chown sftpgw:sftpgw ssh_host_ed25519
chown sftpgw:sftpgw ssh_host_ed25519.pub
chown sftpgw:sftpgw ssh_host_rsa
chown sftpgw:sftpgw ssh_host_rsa.pub

Get the v2 server host keys into the database

The v3 server automatically generates its own set of server host keys. Although you can see these files in /opt/sftpgw/, the source of truth is stored in the database.

In this section, you are going to run a script to clear out the default server host keys generated by v3.

Create a bash script file:

cd /opt/sftpgw/
touch clear-v3-server-host-keys.sh
chmod +x clear-v3-server-host-keys.sh

Then use nano or vim and add the following code:

#!/bin/bash

sudo chsh -s /bin/bash postgres

sudo -i -u postgres psql -d sftpgw -c "BEGIN; \
DELETE \
FROM properties \
WHERE key <> 'bannerText'; \
END;"

sudo chsh -s /bin/bash postgres

Finally, run the bash script:

./clear-v3-server-host-keys.sh

You should see the output COMMIT after the script has successfully cleared out the v3 server host keys.

Finally, restart Java:

service sftpgw-admin-api restart

When Java restarts, SFTP Gateway will realize that there are no server host keys in the database. So it will incorporate the server host key files in /opt/sftpgw/, and import these into the database.

PreviousNext