About SSH SFTP Support in Cerberus FTP Server
Cerberus FTP Server Professional edition and higher supports the SSH2 File Transfer Protocol, also known as SFTP. SFTP is a network protocol that provides secure and reliable file access, file transfer, and file management functionality. Features of the protocol include resuming interrupted file transfers, directory listings, getting and setting file attributes, and remote file removal.
There are currently six different versions of the SFTP protocol, with versions 3 – 6 being in common use by modern SFTP clients. Cerberus supports SFTP version 3,4,5 and 6 clients.
Cerberus also supports SSH public key authentication.
Supported SSH2 Key Exchange Methods
Cerberus supports both Diffie-Hellman and Elliptic Curve Diffie-Hellman (ECDH) SSH2 key exchange methods. FIPS 140-2 being enabled will have an effect on which key exchanges are offered by your server. More on FIPS can be found here: What is FIPS 140-2?
The following exchange methods are supported:
- curve25519-sha256
- curve25519-sha256@libssh.org
- curve448-sha512
- curve448-sha512@libssh.org
- diffie-hellman-group1-sha1 (not available in FIPS mode)
- diffie-hellman-group14-sha1
- diffie-hellman-group14-sha256
- diffie-hellman-group16-sha512
- diffie-hellman-group18-sha512
- diffie-hellman-group-exchange-sha1
- diffie-hellman-group-exchange-sha256
- ecdh-sha2-nistp256
- ecdh-sha2-nistp384
- ecdh-sha2-nistp521
Supported SSH2 Ciphers
The following SSH ciphers are supported:
- AEAD_AES_128_GCM
- aes128-gcm@openssh.com
- AEAD_AES_256_GCM
- aes256-gcm@openssh.com
- chacha20-poly1305@openssh.com (not available in FIPS mode)
- 3des-cbc (disabled by default)
- aes256-cbc
- aes192-cbc
- aes128-cbc
- aes256-ctr
- aes192-ctr
- aes128-ctr
Supported SSH2 MAC Algorithms
The following SSH MAC algorithms are supported:
- hmac-md5 (not available in FIPS mode)
- hmac-sha1
- hmac-sha1-96
- hmac-sha2-256,
- hmac-sha2-256-96
- hmac-sha2-512
- hmac-sha2-512-96
- hmac-ripemd160 (not available in FIPS mode)
- hmac-ripemd160@openssh.com (not available in FIPS mode)
Adding an SSH2 SFTP Listener
You must first have at least one SFTP listener for Cerberus to be able to accept SFTP connections. Cerberus FTP Server will automatically add and enable SFTP listeners on each available IP address the first time it is run so you normally do not need to add an SFTP listener. However, if you’ve previously removed an SFTP listener you can add a new one from the Listeners page of the Server Manager.
To add a new SFTP listener:
- Select the Server Manager tab within Cerberus.
- Select the Listeners page.
- Select the “plus” icon next to the interface list box to add a new interface. The “Add A New Listener” dialog box will appear to ask for the interface details (interface IP, type, and port combination)
- Select the IP address that you want to listen for connections on
- Select the SSH SFTP interface type
- Enter the port you wish to listen on (the default for SSH2 SFTP is 22). Cerberus will automatically pre-populate the port with the default port for the type of listener you are adding
- Press the Add button to add the listener
- The listener should now be added to the Interfaces list. Press 'Add Listener' to close the Server Manager and save your changes.
Allowing SSH2 SFTP Connections through a Firewall
SFTP connections use port 22 by default. You may need to allow that port through your firewall to the machine running Cerberus FTP Server. You may also need to make sure your router is forwarding incoming connections on that port to the machine running Cerberus FTP Server.
Enabling or Disabling Existing SFTP Listeners
In addition to adding and deleting interfaces, Cerberus allows an administrator to disable or enable an existing interface. This feature can be used to temporarily disable a listener or to re-enable a listener that has become disabled because of a port conflict or trial license expiration. Simply right click and select 'Enable/Disable Listener'.
See the following help section on Interfaces for information on how to enable or disable an existing listener:
Comments
0 comments
Please sign in to leave a comment.