Jul 18, 2019 The SSH public key is sent to your trading partner and they must load it onto their SSH or SFTP server and associate it with your account. When you connect to their SSH or SFTP server, the server will verify the key for authentication. If everything matches, then the authentication will succeed. How Are SSH and SFTP Similar? SSH authentication in SFTP SSH key base authentication is an access credential authentication using SSH protocol. It’s similar to username/password based authentication but here the SSH key is used instead of password. Now it become a norm to use SSH authentication in SFTP. Find out how to protect your server's sensitive data by learning how SSH keys work, creating an SSH key pair, and creating FTP users in SiteWorx. You can create an alternate config file for the connection and use the -F switch to tell ssh to use it. Create a config file e.g. /.ssh/config.sftp with the contents Host remote.host.tld User RemoteUserName IdentityFile /path/to/atlernate/identityfile then call sftp like so. Dec 01, 2020 What is SFTP? SFTP stands for Secure File Transfer Protocol (also known as SSH File Transfer Protocol). It is a file transfer protocol such as FTP yet operates over a secure network protocol like SSH. We highly recommend using SFTP for file transferring because: It adds a layer of security. Transferred data is encrypted, so it is not sent in.
With the Admin Security or JITC feature sets enabled, the Secure Shell (SSH) and related Secure Shell File Transfer (SFTP) protocols provide for the secure transfer of audit files and for the secure transfer of management traffic across the wancom0 interface.
SSH Operations
SSH Version 2.0, the only version supported on the OCSBC, is defined by a series of five RFCs.
- RFC 4250, The Secure Shell (SSH) Protocol Assigned Numbers
- RFC 4251, The Secure Shell (SSH) Protocol Architecture
- RFC 4252, The Secure Shell (SSH) Authentication Protocol
- RFC 4253, The Secure Shell (SSH) Transport Layer Protocol
- RFC 4254, The Secure Shell (SSH) Connection Protocol
RFCs 4252 and 4253 are most relevant to OCSBC operations.
The transport layer protocol (RFC 4253) provides algorithm negotiation and key exchange. The key exchange includes server authentication and results in a cryptographically secured connection that provides integrity, confidentiality and optional compression. Forward security is provided through a Diffie-Hellman key agreement. This key agreement results in a shared session key. The rest of the session is encrypted using a symmetric cipher, currently 128-bitAES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The client selects the encryption algorithm to use from those offered by the server. Additionally, session integrity is provided through a crypto-graphic message authentication code (hmac-md5, hmac-sha1, umac-64 or hmac-ripemd160).
The authentication protocol (RFC 4252) uses this secure connection provided and supported by the transport layer. It provides several mechanisms for user authentication. Two modes are supported by the OCSBC: traditional password authentication and public-key authentication.
Configuring SSH Properties
The single instance ssh-config configuration element specifies SSH re-keying thresholds.
- From admin mode, use the following command path to access the ssh configuration element:
ssh configuration element properties are shown below with their default values
- rekey-interval—specifies the maximum allowed interval, in minutes, between SSH key negotiations
Allowable values are integers within the range 60 through 600, with a default of 60 (minutes). Shorter lifetimes provide more secure connections.
Works in conjunction with rekey-byte-count, which sets a packet-based threshold, to trigger an SSH renegotiation. If either trigger is activated, an SSH renegotiation is begun.
Retain the default value, or specify a new value.
- rekey-byte-count—specifies the maximum allowed send and receive packet count, in powers of 2, between SSH key negotiations
Allowable values are integers within the range 20 (1,048,576 packets) through 31 (2,147,483,648 packets), with a default of 31 (2^31). Smaller packet counts provide more secure connections.
Works in conjunction with rekey-interval, which sets a time-based threshold, to trigger an SSH renegotiation. If either trigger is activated, an SSH renegotiation is begun.
Retain the default value, or specify a new value.
A sample SSH configuration appears below:
Specifies a key renegotiation every 20 minutes, or at the reception/transmission of 2,147,483,648 packets, whichever comes first.
Managing SSH Keys
Use the following procedure to import an SSH host key.
Importing a host key requires access to the SFTP server or servers which receive audit log transfers. Access is generally most easily accomplished with a terminal emulation program such as PuTTY, SecureCRT, or TeraTerm.
- Use a terminal emulation program to access the SSH file system on a configured SFTP server.
- Copy the server’s base64 encoded public file making sure in include the Begin and End markers as specified by RFC 4716, The Secure Shell (SSH) Public Key File Format.
For OpenSSH implementations host files are generally found at
/etc/ssh/ssh_host_dsa_key.pub
, oretc/ssh/sss_host_rsa.pub
. Other SSH implementations can differ. - From admin mode use the ssh-pub-key command to import the host key to the OCSBC.
For importing a host key, this command takes the format:
where name is an alias or handle assigned to the imported host key, generally the server name or a description of the server function.
- Paste the public key with the bracketing Begin and End markers at the cursor point.
- Enter a semi-colon (;) to signal the end of the imported host key.
- Follow directions to save and activate the configuration.
Importing SSH Keys
Use the following procedure to import an SSH public key.
Prior to using SSH-public-key-based authentication you must import a copy the public key of each user who will authenticate using this method. The public key identifies the user as a trusted entity when the Oracle SBC performs authentication.
During the SSH login, the user presents its public key to the SBC. Upon receiving the offered public key, the SBC validates it against the previously obtained trusted copy of the key to identify and authenticate the user.
Importing a public key requires access to the device on which the public key was generated, or on which it is currently stored with its associated private key. Access is generally attained with a terminal emulation program such as PuTTY, SecureCRT, or TeraTerm.
Sftp With Ssh Key
- Use a terminal emulation program to access the system from which the public key will be obtained.
- Copy the base64 encoded public key making sure to include the Begin and End markers as specified by RFC 4716, The Secure Shell (SSH) Public Key File Format.
- From admin mode use the ssh-pub-key command to import the public key to the OCSBC.
For importing a public key which will be used to authorize a user, this command takes the format:
- where name is an alias or handle assigned to the imported public key, often the user’s name.
- where authorizationClass optionally designates the authorization class assigned to this user, and takes the value user (the default) or admin.
To import a public key for Matilda who will be authorized for admin privileges, use the following command
- Paste the public key with the bracketing Begin and End markers at the cursor point.
- Enter a semi-colon (;) to signal the end of the imported host key.
- Follow directions to save and activate the configuration.
Generating an SSH Key Pair
Use the following procedure to generate an SSH key pair.
The initial step in generating an SSH key pair is to configure a public key record which will serve as a container for the generated key pair.
- Navigate to the public-key configuration element.
- Use the name command to provide the object name, and the show command to verify object creation.
creates a public key record named tashtego.
- Use the done command to complete object creation.
- Make a note of the last-modified-date time value.
- Move back to admin mode, and save and activate the configuration.
- Now use the ssh-pub-key generate command, in conjunction with the name of the public key record created in Step 3, to generate an SSH key pair.
For importing an SSH key pair, this command takes the format:
where name is an alias or handle assigned to the generated key pair, generally the client name or a description of the client function.
- Copy the base64-encoded public key. Copy only the actual public key — do not copy the bracketing Begin and End markers nor any comments. Shortly you will paste the public key to one or more SFTP servers.
- Save and activate the configuration.
- Return to the public-key configuration object, and select the target public key record instance.
- Verify that the record has been updated to reflect key generation by examining the value of the last-modified-date field.
Copying Public Key to SFTP Server
Use the following procedure to copy a client public key to an SFTP server.
- Use a terminal emulation program to access the SSH file system on a configured SFTP server.
- Copy the client key to the SFTP server.
On OpenSSH implementations, public keys are usually stored in the
~/.ssh/authorized_keys file
. Each line this file (1) is empty, (2) starts with a pound (#) character (indicating a comment), or (3) contains a single public key.Refer to the sshd man pages for additional information regarding file format.
Use a text editor such as vi or emacs to open the file and paste the public key to the tail of the authorized_keys file.
For SSH implementations other than OpenSSH, consult the system administrator for file structure details.
Use the following procedure to view an imported SSH key.
You can use the show security ssh-pub-key command to display information about SSH keys imported to the OCSBC with the ssh-pub-key command; you cannot display information about keys generated by the ssh-pub-key command.
displays summary information for all SSH imported keys
- login-name—contains the name assigned to the RSA or DSA public key when it was first imported
- finger-print—contains the output of an MD5 hash computed across the base64-encoded public key
- finger-print-raw—contains the output of an MD5 hash computed across the binary form of the public key
displays summary information for a specific SSH public key (in this case fedallah)
displays detailed information for specific SSH public key (in this case fedallah, an RSA key)
- host-name—contains the name assigned to the RSA key when it was first imported
- finger-print—contains the output of an MD5 hash computed across the base64-encoded RSA public key
- finger-print-raw—contains the output of an MD5 hash computed across the binary form of the RSA public key
- public key—contains the base64-encoded RSA key
- modulus—contains the hexadecimal modulus (256) of the RSA key
- exponent—(also known as public exponent or encryption exponent) contains an integer value that is used during the RSA key generation algorithm. Commonly used values are 17 and 65537. A prime exponent greater than 2 is generally used for more efficient key generation.
displays detailed information for specific SSH public key (in this case acme74, a DSA key)
- host name—contains the name assigned to the DSA public key when it was first imported
- comment—contains any comments associated with the DSA key
- finger-print—contains the output of an MD5 hash computed across the base64-encoded DSA public key
- finger-print-raw—contains the output of an MD5 hash computed across the binary form of the DSA public key
- public key—contains the base64 encoded DSA key
- p—contains the first of two prime numbers used for key generation
- q—contains the second of two prime numbers used for key generation
- g—contains an integer that together with p and q are the inputs to the DSA key generation algorithm
displays detailed information for all SSH imported keys.
SFTP Operations
SFTP performs all operations over an encrypted SSH connection. It may also use many features of SSH, such as public key authentication and compression. SFTP connects and logs into the specified host, then enters an interactive command mode.
Once in interactive mode, SFTP understands a set of commands similar to those of FTP. Commands are case insensitive and pathnames may be enclosed in quotes if they contain spaces.
The following lists supported SFTP commands:- bye—Quit SFTP.
- cd pathChange—Remote directory to path.
- lcd pathChange—Local directory to path.
- chgrp grp path—Change group of file path to group. group must be a numeric GID.
- chmod mode path—Change permissions of file path to mode.
- chown own path—Change owner of file path to own. own must be a numeric UID.
- dir (or ls)—List the files in the current directory.
- exit—Quit SFTP.
- get [flags] remote-path [local-path]—Retrieve the remote-path and store it on the local machine. If the local path name is not specified, it is given the same name it has on the remote machine. If the -P flag is specified, then the file's full permission and access time are copied too.
- help—Display help text.
- lcd—Change the directory on the local computer.
- lls—See a list of the files in the current directolls [ls-options [path]Display local directory listing of either path or current directory if path is not specified.
- lmkdir path—Create local directory specified by path.
- ln oldpath newpath—Create a symbolic link from oldpath to newpath.
- lpwd—Print local working directory.
- ls [path]—Display remote directory listing of either path or current directory if path is not specified.
- lumask umask—Set local umask to umask.
- mkdir path—Create remote directory specified by path.
- put [flags] local-path [local-path]—Upload local-path and store it on the remote machine. If the remote path name is not specified, it is given the same name it has on the local machine. If the -P flag is specified, then the file's full permission and access time are copied too.
- pwd—Display remote working directory.
- quit—Quit SFTP.
- rename oldpath newpath—Rename remote file from oldpath to newpath.
- rmdir path—Remove remote directory specified by path.
- rm path—Delete remote file specified by path.
- symlink oldpath newpath—Create a symbolic link from oldpath to newpath.
- ! command—Execute command in local shell.
- !—Escape to local shell.
- ?—Synonym for help.
Note:
Command availability is subject to OracleSftp With Ssh Key Command Line
authorization/privilege classes.Connect To Sftp With Ssh Key
Some SFTP commands are available to only certain users; some commands are available to no users.
Sftp With Ssh Key Authentication
RADIUS file access privileges are specified by the Acme-User-Privilege VSA, which can take the following values.
- sftpForAudit—allows audit log access
- sftpForAccounting—allows system logs to be accessed
- sftpForHDR—allows HDR (Historical Data Records) to be accessed
- sftpForAll—allows all logs to be accessed