SFTP Gateway Support

3.0

Security Level Configuration

There are three security levels: PARANOID, STRONG, and WEAK. Our system defaults to STRONG. The security level is configured with the sftp.security-level property set to one of the three options.

Server level authentication

Prior to user authentication, the SSH and SFTP protocols first go through a server validation process. This is to prove the server's identity, prior to submitting your username and password.

Server validation uses key-based authentication. But this authentication happens in the reverse direction -- the server must prove its identity (using the server's private key) against the public key cached on the SFTP client machine.

The server authentication process uses different key exchange algorithms. Some SFTP clients might not support the latest algorithms. So, you can downgrade SFTP Gateway's security baseline from STRONG to WEAK to help with compatibility.

The following sections show which algorithms are available for Key Exchange, HMAC, and Encryption.

HMAC Support

HMAC implementation is provided by Bouncy Castle. The following is a list of HMAC algorithms supported by SFTP Gateway. The STRONG security level supports the PARANOID algorithms, and the WEAK security level supports both STRONG and PARANOID algorithms.

The following is a list of supported HMAC algorithms from the PARANOID security level down to the WEAK security level:

hmac-sha2-512
hmac-sha2-512-96
hmac-sha2-512-etm@openssh.com 
-- PARANOID SUPPORTS ABOVE -- 
hmac-sha2-256
hmac-sha2-256-96
hmac-sha256@ssh.com
hmac-sha2-256-etm@openssh.com
-- STRONG SUPPORTS ABOVE -- 
hmac-sha1-etm@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96
hmac-sha1
-- WEAK SUPPORTS ABOVE --

Key Exchange Support

The following is a list of supported Key Exchange algorithms from the PARANOID security level down to the WEAK security level:

diffie-hellman-group18-sha512
diffie-hellman-group17-sha512
diffie-hellman-group16-sha512
diffie-hellman-group15-sha512
curve25519-sha256@libssh.org
curve25519-sha256
-- PARANOID SUPPORTS ABOVE -- 
diffie-hellman-group-exchange-sha256
diffie-hellman-group14-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
rsa2048-sha256
-- STRONG SUPPORTS ABOVE -- 
diffie-hellman-group14-sha1
-- WEAK SUPPORTS ABOVE --

Host Key Support

Host keys, whether they are generated or provided, must meet at least the configured security level, else they will not be included.

Here is a list of Public Key algorithms from the PARANOID security level down to the WEAK security level:

ssh-ed25519
-- PARANOID SUPPORTS ABOVE -- 
rsa-sha2-256
rsa-sha2-512
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
-- STRONG SUPPORTS ABOVE -- 
ssh-rsa
-- WEAK SUPPORTS ABOVE --

The following host keys are generated in the working directory, the private key has no extension, while the public key has .pub:

  1. ssh_host_ecdsa_256
  2. ssh_host_ecdsa_256.pub
  3. ssh_host_ecdsa_384
  4. ssh_host_ecdsa_384.pub
  5. ssh_host_ecdsa_521
  6. ssh_host_ecdsa_521.pub
  7. ssh_host_ed25519
  8. ssh_host_rsa
  9. ssh_host_rsa.pub

If you'd like to use your own host keys, replace the private and public key of the appropriate algorithm with the same names as the generated keys. The key file should be formatted with the SECSH format similar to the following example:

 * ---- BEGIN SSH2 PUBLIC KEY ----
 * Comment: "This is a comment"
 * AAAAB3NzaC1yc2EAAAADAQABAAAAgQC9mPcvyCnWpuvN7u4cjwUkBbTqgYm5kR92XNbo7/ElAJY+
 * 7HwoTtiUsQ6Q2Ma6hUg29LlDifpX5Ujwwm5PRK+7dXWL5bbznNGxJXY5P1E/5cr/+cJueaqZuA90
 * 2x6oFweQZPK4en+nJyXFwYY/Pbf86F3EJFD3lh9RWSN7r2RbRw==
 * ---- END SSH2 PUBLIC KEY ----

Encryption Cipher Support

The following is a list of supported Encryption cipher algorithms from the PARANOID security level down to the WEAK security level:

aes256-gcm@openssh.com
aes128-gcm@openssh.com
chacha20-poly1305@openssh.com
-- PARANOID SUPPORTS ABOVE -- 
aes256-ctr
aes192-ctr
aes128-ctr
aes256-ctr
aes192-ctr
aes128-ctr
-- STRONG SUPPORTS ABOVE -- 
3des-ctr
-- WEAK SUPPORTS ABOVE --

Setting the security level

To change the security level, edit the file:

/opt/sftpgw/application.properties

And set the security-level property, using the following syntax (pick one):

sftp.security-level=PARANOID
sftp.security-level=STRONG
sftp.security-level=WEAK

To apply your change, restart the Java service:

sudo su
service sftpgw-admin-api restart

Video Reference

PreviousNext