SFTP Agents Preparations
Prior to configuring an SFTP agent, consider the following preparation notes:
Server Identification
Attributes
Authentication
Server Keys
Server Identficiation
The SFTP agent uses a file with known host keys to validate the server identity during connection setup. The location and naming of this file is managed through the Execution Context property:
mz.ssh.known_hosts_file
It is set in the <pico name>.conf file of the relevant EC to manage where the file is saved. The default value is ${mz.home}/etc/ssh/known_hosts.
The SSH implementation uses JCE (Java Cryptography Extension), which means that there may be limitations on key sizes for your Java distribution. This is usually not a problem. However, there may be some cases where the unlimited strength cryptography policy is needed. For instance, if the host RSA keys are larger than 2048 bits (depending on the SSH server configuration). This may require that you update the Java Platform that runs the EC.
For unlimited strength cryptography on the Oracle JRE, download the JCE Unlimited Strength Jurisdiction Policy Files from http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html. Replace the jar files in $JAVA_HOME/jre/lib/security with the files in this package.
The OpenJDK JRE does not require special handling of the JCE policy files for unlimited strength cryptography.
Attributes
he SFTP collection agent and the SFTP forwarding agent share a number of common attributes. They are both supported by a number of algorithms:
3des-cbc, 3des-ctr, blowfish-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr, arcfour, arcfour128, arcfour256.
Authentication
The SFTP agents support authentication through either username/password or private key. Private keys can optionally be protected by a Key password. Most commonly used private key files, can be imported into the system.
Typical command line syntax (most systems):
ssh-keygen -t <keyType> -f <directoryPath>
| Setting | Description |
|---|---|
| The type of key to be generated. Both RSA and DSA key types are supported. |
| The directory in which you want to save the generated keys. |
Example - Creating a private key
The private key may be created using the following command line:
> ssh-keygen -t rsa -f /tmp/keystore
Enter passphrase: xxxxxx
Enter same passphrase again: xxxxxx
Then the following is stated:
Your identification key has been saved in /tmp/keystore
Your public key has been saved in /tmp/keystore.pubWhen the keys are created the private key may be imported to the SFTP agent.
To import the private key into the SFTP agent:
- Open the Agent Configuration dialog for the SFTP collection agent as described in SFTP Collection Agent Configuration.
- Authenticate with Private Key.
- Click on the Select... button to open the Edit Private Key dialog.
- Paste your private key into the text field.
- Enter your password in the Password field and click OK.
- Close the Agent Configuration dialog by clicking OK.
Finally, on the SFTP server host, append /tmp/keystore.pub to $HOME/.ssh/authorized_keys. If the $HOME/.ssh/authorized_keys is not there it must be created.
Server Keys
The SSH protocol uses host verification as protection against attacks where an attacker manages to reroute the TCP connection from the correct server to another machine. Since the password is sent directly over the encrypted connection, it is critical for security that an incorrect public key is not accepted by the client.
The agent uses a file with the known hosts and keys. It will accept the key supplied by the server if either of the following is fulfilled:
The host is previously unknown. In this case the public key will be registered in the file.
The host is known and the public key matches the old data.
The host is known however has a new key and the user has been configured to accept the new key. For further information, see the Advanced tab.
If the host key changes for some reason, the file will have to be removed (or edited) in order for the new key to be accepted.