Security Level Configuration
There are three security levels: PARANOID, STRONG, and WEAK. Our system defaults to STRONG.
The security level is configured with the
sftp.security-level property set to one of the
Server level authentication
Prior to user authentication, the SSH and SFTP protocols first go through a server validation process. This is to prove the server's identity, prior to submitting your username and password.
Server validation uses key-based authentication. But this authentication happens in the reverse direction -- the server must prove its identity (using the server's private key) against the public key cached on the SFTP client machine.
The server authentication process uses different key exchange algorithms. Some SFTP clients might not support the latest algorithms. So, you can downgrade SFTP Gateway's security baseline from STRONG to WEAK to help with compatibility.
The following sections show which algorithms are available for Key Exchange, HMAC, and Encryption.
HMAC implementation is provided by Bouncy Castle. The following is a list of HMAC algorithms supported by SFTP Gateway. The STRONG security level supports the PARANOID algorithms, and the WEAK security level supports both STRONG and PARANOID algorithms.
The following is a list of supported HMAC algorithms from the PARANOID security level down to the WEAK security level:
hmac-sha2-512 hmac-sha2-512-96 firstname.lastname@example.org -- PARANOID SUPPORTS ABOVE -- hmac-sha2-256 hmac-sha2-256-96 email@example.com firstname.lastname@example.org -- STRONG SUPPORTS ABOVE -- email@example.com firstname.lastname@example.org hmac-sha1-96 hmac-sha1 -- WEAK SUPPORTS ABOVE --
Key Exchange Support
The following is a list of supported Key Exchange algorithms from the PARANOID security level down to the WEAK security level:
diffie-hellman-group18-sha512 diffie-hellman-group17-sha512 diffie-hellman-group16-sha512 diffie-hellman-group15-sha512 email@example.com curve25519-sha256 -- PARANOID SUPPORTS ABOVE -- diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 rsa2048-sha256 -- STRONG SUPPORTS ABOVE -- diffie-hellman-group14-sha1 -- WEAK SUPPORTS ABOVE --
Host Key Support
Host keys, whether they are generated or provided, must meet at least the configured security level, else they will not be included.
Here is a list of Public Key algorithms from the PARANOID security level down to the WEAK security level:
ssh-ed25519 -- PARANOID SUPPORTS ABOVE -- rsa-sha2-256 rsa-sha2-512 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 -- STRONG SUPPORTS ABOVE -- ssh-rsa -- WEAK SUPPORTS ABOVE --
The following host keys are generated in the working directory, the
private key has no extension, while the public key has
If you'd like to use your own host keys, replace the private and public key of the appropriate algorithm with the same names as the generated keys. The key file should be formatted with the SECSH format similar to the following example:
* ---- BEGIN SSH2 PUBLIC KEY ---- * Comment: "This is a comment" * AAAAB3NzaC1yc2EAAAADAQABAAAAgQC9mPcvyCnWpuvN7u4cjwUkBbTqgYm5kR92XNbo7/ElAJY+ * 7HwoTtiUsQ6Q2Ma6hUg29LlDifpX5Ujwwm5PRK+7dXWL5bbznNGxJXY5P1E/5cr/+cJueaqZuA90 * 2x6oFweQZPK4en+nJyXFwYY/Pbf86F3EJFD3lh9RWSN7r2RbRw== * ---- END SSH2 PUBLIC KEY ----
Encryption Cipher Support
The following is a list of supported Encryption cipher algorithms from the PARANOID security level down to the WEAK security level:
firstname.lastname@example.org email@example.com firstname.lastname@example.org -- PARANOID SUPPORTS ABOVE -- aes256-ctr aes192-ctr aes128-ctr aes256-ctr aes192-ctr aes128-ctr -- STRONG SUPPORTS ABOVE -- 3des-ctr -- WEAK SUPPORTS ABOVE --
Setting the security level
To change the security level, edit the file:
And set the security-level property, using the following syntax (pick one):
sftp.security-level=PARANOID sftp.security-level=STRONG sftp.security-level=WEAK
To apply your change, restart the Java service:
sudo su service sftpgw-admin-api restart