SFTPPlus Documentation

Start Page 4. Configuration Instructions 4.14. SSH (SFTP and SCP) Service

4.14. SSH (SFTP and SCP) Service

4.14.1. Introduction

This page describes the configuration options available for the SSH service, using SFTP and SCP file transfer protocols.

Both the SFTP and the SCP protocols make use of the SSH protocol for low-level encryption of transferred data. Due to this, SFTPPlus uses a generic SSH service that provides support for both sftp and scp services. SFTP and SCP can be independently enabled.

Multiple SSH services can share the same set of RSA and DSA host keys.

4.14.2. Configuration Options

Below are the configuration options available for the SFTP and SCP protocols.

4.14.3. Configuring SSH key-based authentication on the server

An account can have both password and SSH keys authentication methods enabled at the same time. At connection time, the SSH server and client will perform a negotiation step and the server will use only one method for authenticating the session.

Password authentication can be disabled for an account, in which case the server will force the client to use SSH keys for authentication.

An account is configured with one or many public SSH keys (a list). When the same account is used to connect from multiple machines, you will want to generate one pair of SSH keys for each machine, so that a private key never leaves the machine on which it is used.

For each account, there is an associated local file. It contains the public SSH keys, in OpenSSH public key format, accepted during the authentication.

To add a public key, you will have to copy the content of the public key from the file usually named KEY_NAME.pub and paste it on a new line into the file containing the list of allowed SSH keys.

Note

There is no restriction to having an 1:1 relation between an account and the list of public SSH keys. The same list (i.e. same local file) can be associated with multiple accounts.

There are two main approaches for configuring SSH keys for an account:

  1. Only the server’s administrators can manage the list of allowed SSH keys. In this case the file containing allowed SSH keys is stored somewhere outside the account’s home folder.
  2. Allow an account to have access to its own list of allowed SSH keys. Server administrators can still manage the list. The file with the list of allowed public SSH keys is stored inside the account’s home folder. This is similar to OpenSSH configuration, where the list is stored in .ssh/authorized_keys file.

4.14.4. Local Manager GUI configuration

Configuring the list of authorized SSH keys for an Account:

Create a local file where public SSH keys associated with this account are stored. In our example, the file is located at c:\\Users\\sftp_access\\John_keys


Go to the account’s configuration page and enter the path in the Allowed SSH Keys Path field.

../_images/Accounts-Allowed-SSH-Keys.png

For the above configuration, the account’s home folder is in c:\\Users\\John and it has no access to manage its own SSH keys.


Configuring the list of authorized SSH keys for a Group:

Note that the path must contain the ${USER} value as a placeholder linking to the username.

../_images/Groups-Allowed-SSH-Keys.png

In the example above, the file path included ${USER}. The text file equivalent:

[groups/bdfe8e48-5100-4d8a-bac1-441ebc04f9a7]
name = Support_Group
ssh_authorized_keys_path = /home/${USER}/.ssh/authorized_keys

In the above examples, the server will read the authorized SSH keys file located at /path_to/john/authorized_keys for a ${USER} called john.

If the path does not include the ${USER} value, it is appended at the end.

Therefore, a file path of /authorized_keys is read as /path_to/authorized_keys/john for a ${USER} called john.

Warning

Make sure that the file path is set correctly, otherwise the server will fail to read the authorized SSH keys file and issue a No such file or directory error.

4.14.5. Text file configuration

The ssh_authorized_keys_path option from the configuration file specifies the path to the file containing the list of allowed SSH RSA/DSA public keys for each user.

In text file configuration, the path can contain the ${USER} value:

[groups/DEFAULT_GROUP]
ssh_authorized_keys_path = /home/${USER}/.ssh/authorized_keys

When john is authenticated, the server will seek out the authorized SSH keys file /home/john/.ssh/authorized_keys/.

To disable SSH key-based authentication, set this value to Disabled, as in the example below:

[groups/DEFAULT_GROUP]
ssh_authorized_keys_path = Disabled

4.14.6. Configuration options

4.14.6.1. sftp

Default value:

Yes

Optional:

Yes

Values:
  • No - To disable SFTP support.
  • Yes - To enable SFTP support.
From version:

2.5.0

To version:

None

Description:

Enable/Disable support for the SFTP protocol.

4.14.6.2. scp

Default value:

No

Optional:

Yes

Values:
  • No - To disable SCP support.
  • Yes - To enable SCP support.
From version:

2.5.0

To version:

None

Description:

Enable/Disable support for the SCP protocol.

4.14.6.3. rsa_private_key

Default value:

configuration/sftp-service-rsa-private.key

Optional:

Yes

Values:
  • Absolute path to local filesystem.
  • Text version of the SSH key (Since 3.40.0).
  • Empty.
From version:

1.6.0

To version:

None

Description:

Path to file containing private RSA key file used by the service.

Leave it empty to disable RSA host keys.

You can also define the content of the SSH key directly as a text value. In this case the configuration will look like the following example. It’s important to start each line with at least one space character and keep the number of leading spaces constant:

[server/b904e6h6-c295-4ccf-8abd-edcae4d3324f]
name = SFTP Internal Server
type = sftp
rsa_private_key = -----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: AES-128-CBC,ACD9A45C68DD1924FF2A1A54BE2A7BF4

    RAHH7yMbPk/vrhT5jkSDGIUdH+nG0OQpeSWcQXd4JJ6pqdJh/cw/havtxlHFp1yz
    ...
    MORE SSH KEY CONTENT
    ...
    Pkf+23OGZln2dLz/pkJkiRRzmsWgT2hUv/EK4NYRQq1kEAXLf3J6xZqLlR3ZBLJm
    -----END RSA PRIVATE KEY-----

We recommend to store the key in PEM OpenSSH format, but Putty or Tectia formats are also supported.

When the configured key is encrypted, the value configured in rsa_private_key_password is used to decrypt the key.

4.14.6.4. rsa_private_key_password

Default value:

Disabled

Optional:

Yes

Values:
  • Password for the RSA private key as text.
From version:

1.7.19

To version:

None

Description:

The password is used for decrypting the stored RSA private key, in the case that it is stored encrypted on disk.

4.14.6.5. dsa_private_key

Default value:

configuration/sftp-service-dsa-private.key

Optional:

Yes

Values:
  • Absolute path on local filesystem.
  • Text version of the SSH key (Since 3.40.0).
  • Empty
From version:

1.6.0

To version:

None

Description:

Path to file containing the private DSA key used by the service.

Leave it empty to disable DSA/DSS host keys.

You can also define the content of the SSH key directly as a text value. In this case the configuration will look like the following example. It’s important to start each line with at least one space character and keep the number of leading spaces constant:

[server/b904e6h6-c295-4ccf-8abd-edcae4d3324f]
name = SFTP Internal Server
type = sftp
dsa_private_key = -----BEGIN DSA PRIVATE KEY-----
    MIIBugIBAAKBgQDOwkKGnmVZ9bRl7ZCn/wSELV0n5ELsqVZFOtBpHleEOitsvjEB
    ...
    MORE SSH KEY CONTENT
    ...
    oTedYsAyi80L8phYBN4=
    -----END DSA PRIVATE KEY-----

We recommend to store the key in PEM OpenSSH format, but Putty or Tectia formats are also supported.

When the configured key is encrypted, the value configured in dsa_private_key_password is used to decrypt the key.

4.14.6.6. dsa_private_key_password

Default value:

Disabled

Optional:

Yes

Values:
  • Password for the DSA private key as text.
From version:

1.7.19

To version:

None

Description:

The password is used for decrypting the stored DSA private key, in the case that it is stored encrypted on disk.

4.14.6.7. primes

Default value:

‘’

Optional:

Yes

Values:
  • Path to a file with pre-computed prime numbers.
  • Leave empty if you do not want to use the pre-computed primes database file.
From version:

1.6.0

Description:

The prime numbers database is used by the Diffie Hellman Group Exchange SHA1 protocol.

The prime numbers database is stored in a file using the OpenSSH format.

The server provides a default prime numbers database file.

4.14.6.8. dh_prime_size

Default value:

1024, ideal

Optional:

Yes

Values:
  • Pair of comma-separated values: absolute minimum, preferred size.
From version:

3.46.0 This option controls the size of the prime number used during the Diffie-Hellman group exchange.

This is a single pair of comma-separated values.

The first value defines the absolute minimum size. The authentication will fail if the maximum remote peer is smaller than the minimum size.

The following sizes are supported: * 1024 * 1536 * 2048 * 3072 * 4096 * 6144 * 8192

The second value defines the negotiated size used based on sizes announced by the client. The available are: * minimum - Use the minimum value supported by the client and server. * ideal - Use the ideal value advertised by the client. * maximum - Use the maximum value supported by the client.

As an example, when this is configured as dh_prime_size = 2048, ideal and the client is advertising a minimum of 1024, an ideal value of 2048 and a maximum of 4086, the used value is 2048.

4.14.6.10. ignore_create_permissions

Default value:

No

Optional:

Yes

Values:
  • No - To apply requested file permissions at file creation.
  • Yes - To ignore SFTP client’s file permissions at file creation.
From version:

1.7.13

To version:

None

Description:

Some SFTP clients, like the OpenSSH SFTP client, will always preserve file and folder permissions even if -p option is not used in the client.

To work around this problem, the server can be configured to ignore the client request to set the permissions when creating a file or folder.

When permissions are ignored, the default file mode (666) is applied.

Before setting the permission, the configured umask value is first masked against the permissions.

Note

In the case in which you want to mirror the local permissions, use the SFTP client’s dedicated command for setting the permissions.

4.14.6.11. ssh_cipher_list

Default value:

secure

Optional:

Yes

Values:
  • List of accepted key exchanges, HMACs and ciphers names.
  • all
  • secure
  • fips
From version:

3.11.0

To version:

None

Description:

The full name for each key exchange, HMAC or cipher should be used as comma separated values.

This will configure the symmetrical encryption, asymmetrical encryption, hash-based message authentication code, and key exchange algorithms.

The special keyword secure contains all the algorithms that we currently consider secure. Should this list of algorithms be updated to exclude any new ciphers that have been considered weak, SFTPPlus will need to be upgraded to the version that contains the updated secure list of algorithms.

The keyword all is available for configuring all the supported algorithms. This is provided mainly to help with backward compatibility and will also enable weak ciphers.

Warning

Configuring all ciphers will also enabled ciphers which are no longer considered secure by modern standards.

A pre-defined set of FIPS 140-2 approved ciphers is available by using the special fips keyword in this configuration. When FIPS 140-s ciphers are enabled, any other configured cipher in the list is ignored.

If an unsupported name is used, the component will fail to start.

When the all keyword is used, all other values are ignored. When the secure keyword is used, all other values are ignored, including fips and explicit ciphers. When the fips keyword is used, any explicit cipher configuration is ignored.

Only one option from all, secure, or fips should be used at a single time.

4.14.6.12. idle_connection_timeout

Default value:

300

Optional:

Yes

Values:
  • Number of seconds after which idle connections are disconnected.
  • 0 - To disable timeouts.
  • Disabled - To disable timeouts.
From version:

1.7.19

To version:

None

Description:

The service will close the connection if a client connection is idle for a configurable amount of time.

4.14.6.13. maximum_concurrent_connections

Default value:

10000

Optional:

Yes

Values:
  • Number of maximum concurrent connections accepted by the service.
  • 0 - To disable the limit.
  • Disabled - To disable the limit.
From version:

1.7.19

To version:

None

Description:

Maximum number of allowed concurrent connections for this service.

This limit is imposed by each service, and it is not a global limit for all services active on the server.