SFTP Gateway Support

3.0

Kex Algorithms

Note: This page applies to SFTP Gateway version 2.x. Visit Here for documentation on version 3.x.

SSH Server: Key Exchange Algorithms

Most of the SSH configuration is in the file:

/etc/ssh/sshd_config

The sshd_config file has a property named KexAlgorithms.

See: https://www.ssh.com/ssh/sshd_config/

We don't set any KexAlgorithms in SFTP Gateway, so the server is just using the default, whatever that is.

To get the default KexAlgorithms, you would have to SSH into the EC2 instance and run the command:

ssh -G localhost

You will see the following output:

kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Here's a useful article on the topic: https://stackoverflow.com/questions/32686530/whats-openssh-default-kexalgorithms

To address the vulnerabilities, edit your sshd_config file, and add a line for KexAlgorithms:

KexAlgorithms <your list of secure kex algorithms>

Note: Any time you want to make a change to sshd_config, first make a backup of that file. Also, you have to restart the sshd service to apply any changes. And it's a good idea to open up another SSH session to make sure you can still log in (if you can't, use your existing session to roll back the changes).

Ciphers

OpenSSH comes with a default list of ciphers:
https://www.ssh.com/ssh/sshd_config/

For example, if you run this command:

sshd -T | grep ciphers

You will see:

ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc

The cbc ciphers are insecure, so you can filter the list with this command:

sshd -T | grep ciphers | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g"

You should see this output:

ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,

Note: remember to remove the trailing comma.

See: https://unix.stackexchange.com/questions/333728/ssh-how-to-disable-weak-ciphers

Edit /etc/ssh/sshd_config, and add the following entry:

Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

Note: Any time you want to make a change to sshd_config, first make a backup of that file. Also, you have to restart the sshd service to apply any changes. And it's a good idea to open up another SSH session to make sure you can still log in (if you can't, use your existing session to roll back the changes).

Example syntax

Here is some example syntax that you can add to your /etc/ssh/sshd_config file:

KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

Using these settings will override the defaults, which contain legacy and insecure algorithms.

Set uploads folder as the defaultEnabling FTPS using vsftp