Search

GlobalSCAPE Knowledge Base

Configuring SFTP cipher/mac algorithms for EFT outbound connections in the registry

Karla Marsh
EFT Express (SMB) & Enterprise

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT Enterprise v6.3 and later

DISCUSSION

EFT currently does not provide the ability to configure the SFTP cipher/mac algorithms for outbound connections in the administration interface. The Site-level SFTP configuration for the inbound protocols in the interface does not affect the outbound settings. The ability to configure algorithms for outbound connections is available via registry settings to enable/disable the various ciphers and macs.

The SFTP registry keys are automatically created by the ClientFTP.dll. The ClientFTP.dll writes to the registry when it finishes a transfer; therefore, you should edit the settings when there are no transfers occurring so that it loads your custom settings, and then it will save your custom settings back to the registry when it finishes the transfer. (Once ClientFTP.dll writes your custom settings to the registry, it will continue to use those settings.) You may have to run an initial outbound transfer after a clean install before the keys are created, or you can create them manually. (Again, do this when there is no outbound activity to avoid overwriting your changes.)

Prior to v8, the advanced properties resided under:  HKLM\SOFTWARE\Wow6432Node\GlobalSCAPE\TED 6\Settings\SecuritySFTP2\.

In v8 and later, these advanced properties, when changed from the default, are saved in the AdvancedProperties.JSON file, in the EFT ProgramData directory (e.g., C:\ProgramData\Globalscape\EFT Server Enterprise).

Name Type Min Max Default Description
SFTP2_AES128 bool 0 1 1 Setting to 1 enables the AES128 cipher algorithm.
SFTP2_AES128CTR bool 0 1 1 Setting to 1 enables the AES128CTR cipher algorithm.  
SFTP2_AES256 bool 0 1 1 Setting to 1 enables the AES256 cipher algorithm.  
SFTP2_AES256CTR bool 0 1 1 Setting to 1 enables the AES256CTR cipher algorithm.  
SFTP2_ARCFOUR bool 0 1 1 Setting to 1 enables the ARCFOUR cipher algorithm.
SFTP2_AuthByKey bool 0 1 0 Enable ClientFTP SFTP authentication by key.
SFTP2_AuthByPassword bool 0 1 1 Enable ClientFTP SFTP authentication by password.
SFTP2_Blowfish bool 0 1 1 Setting to 1 enables the Blowfish cipher algorithm.
SFTP2_CAST128 bool 0 1 1 Setting to 1 enables the CAST128 cipher algorithm.  
SFTP2_Log bool 0 1 0 Set to 1 to enable ClientFTP SFTP logging.
SFTP2_Log_Level uint32_t 0 2147483647 9 ClientFTP SFTP log level.
SFTP2_MD5 bool 0 1 1 Setting to 1 enables the MD5 MAC algorithm.
SFTP2_MD5_96 bool 0 1 1 Setting to 1 enables the MD5_96 MAC algorithm.
SFTP2_SHA1 bool 0 1 1 Setting to 1 enables the SHA1 MAC algorithm.  
SFTP2_SHA1_96 bool 0 1 1 Setting to 1 enables the SHA1_96 MAC algorithm.
SFTP2_SHA2_256 bool 0 1 1 Setting to 1 enables the SHA2_256 MAC algorithm.
SFTP2_SHA2_512 bool 0 1 1 Setting to 1 enables the SHA2_512 MAC algorithm.
SFTP2_TripleDES bool 0 1 1 Setting to 1 enables the TripleDES cipher algorithm.  
SFTP2_Twofish bool 0 1 1 Setting to 1 enables the Twofish cipher algorithm.  
SFTP2_TWOFISH128 bool 0 1 1 Setting to 1 enables the TWOFISH128 cipher algorithm.  
SFTP2_TWOFISH256 bool 0 1 1 Setting to 1 enables the TWOFISH256 cipher algorithm.  
SFTP2_UseCompression bool 0 1 1 Enable ClientFTP SFTP compression.
SFTP2PrivateKey string 0 4096 ClientFTP SFTP private key.
SFTP2PublicKey string 0 4096 ClientFTP SFTP public key.

The following snippet from the ClientFTP log file shows the output when only SFTP2_TWOFISH128 and SFTP2_MD5_96 are enabled:

STATUS:> Host key match found in certificate database -- accepted.

STATUS:> First key exchange completed

Negotiated algorithms:

kex alg: diffie-hellman-group14-sha1

host key alg: ssh-rsa

c2s encr alg: twofish128-cbc

s2c encr alg: twofish128-cbc

c2s mac alg: hmac-md5-96

s2c mac alg: hmac-md5-96

Details
Last Modified: 4 Months Ago
Last Modified By: kmarsh
Type: HOWTO
Rated 1 star based on 13 votes.
Article has been viewed 44K times.
Options
Also In This Category
Tags