Search

GlobalSCAPE Knowledge Base

Configuring SFTP cipher/mac algorithms for EFT outbound connections in the registry

Karla Marsh
EFT Express (SMB) & Enterprise

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT Enterprise v6.3 and later

DISCUSSION

EFT currently does not provide the ability to configure the SFTP cipher/mac algorithms for outbound connections in the administration interface. The Site-level SFTP configuration for the inbound protocols in the interface does not affect the outbound settings. The ability to configure algorithms for outbound connections is available via registry settings or, in V8 and later, the AdvancedProperties.json file to enable/disable the various ciphers and macs.

The SFTP registry keys are automatically created by the ClientFTP.dll. The ClientFTP.dll writes to the registry when it finishes a transfer; therefore, you should edit the settings when there are no transfers occurring so that it loads your custom settings, and then it will save your custom settings back to the registry when it finishes the transfer. (Once ClientFTP.dll writes your custom settings to the registry, it will continue to use those settings.) You may have to run an initial outbound transfer after a clean install before the keys are created, or you can create them manually. (Again, do this when there is no outbound activity to avoid overwriting your changes.)

Prior to v8, the advanced properties resided under:  HKLM\SOFTWARE\Wow6432Node\GlobalSCAPE\TED 6\Settings\SecuritySFTP2\.

In v8 and later, these advanced properties, when changed from the default, are saved in the AdvancedProperties.JSON file, in the EFT ProgramData directory (e.g., C:\ProgramData\Globalscape\EFT Server Enterprise). For these values, instead of 0 or 1, you must use false or true.

Name

Type

Default

Description

SFTP2_AES128

bool

1/true

Setting to 1 enables the AES128 cipher algorithm.

SFTP2_AES128CTR

bool

1/true

Setting to 1 enables the AES128CTR cipher algorithm.

SFTP2_AES128_GCM_AT_OPENSSH_COM
 (v8.0.4 and later)

bool

1/true

Setting to true enables the aes128-gcm@openssh.com cipher algorithm.

SFTP2_AES192  (v8.0.4 and later)

bool

1/true

Setting to true enables the aes192-cbc cipher algorithm.

SFTP2_AES192CTR  (v8.0.4 and later)

bool

1/true

Setting to true enables the aes192-ctr cipher algorithm.

SFTP2_AES256

bool

1/true

Setting to 1 enables the AES256 cipher algorithm.

SFTP2_AES256CTR

bool

1/true

Setting to 1 enables the AES256CTR cipher algorithm.

SFTP2_AES256_GCM_AT_OPENSSH_COM  
(v8.0.4 and later)

bool

1/true

Setting to 1 enables the aes256-gcm@openssh.com cipher algorithm.

SFTP2_ARCFOUR

bool

0/false

Setting to 1 enables the ARCFOUR cipher algorithm.

SFTP2_AuthByKey

bool

0/false

Enable ClientFTP SFTP authentication by key.

SFTP2_AuthByPassword

bool

1/true

Enable ClientFTP SFTP authentication by password.

SFTP2_Blowfish

bool

0/false

Setting to 1 enables the Blowfish cipher algorithm.

SFTP2_CAST128

bool

0/false

Setting to 1 enables the CAST128 cipher algorithm.

SFTP2_CHACHA20_POLY1305_AT_OPENSSH_COM  (v8.0.4 and later)

bool

1/true

Setting to 1 enables the chacha20-poly1305@openssh.com cipher algorithm.

SFTP2_HMAC_SHA1_ETM_AT_OPENSSH_COM  (v8.0.4 and later)

bool

1/true

Setting to 1 enables the hmac-sha1-etm@openssh.com algorithm.

SFTP2_HMAC_SHA2_256_ETM_AT_OPENSSH_COM  (v8.0.4 and later)

bool

1/true

Setting to 1 enables the hmac-sha2-256-etm@openssh.com algorithm.

SFTP2_HMAC_SHA2_512_ETM_AT_OPENSSH_COM  (v8.0.4 and later)

bool

1/true

Setting to 1 enables the hmac-sha2-512-etm@openssh.com algorithm.

SFTP2_Log

bool

0/false

Set to 0 disables ClientFTP SFTP logging.

SFTP2_Log_Level

uint32_t

9

ClientFTP SFTP log level. 2147483647 maximum

SFTP2_MD5

bool

1/true

Setting to 0 disables the MD5 MAC algorithm.

SFTP2_MD5_96

bool

1/true

Setting to 0 disables the MD5_96 MAC algorithm.

SFTP2_RIJNDAEL_CBC_AT_LYSATOR_LIU_SE
(v8.0.4 and later)

bool

1/true

Setting t0 1 enables the rijndael-cbc@lysator.liu.se cipher algorithm.

SFTP2_SHA1

bool

1/true

Setting to 1 enables the SHA1 MAC algorithm.

SFTP2_SHA1_96

bool

1/true

Setting to 0 disables the SHA1_96 MAC algorithm.

SFTP2_SHA2_256

bool

1/true

Setting to 1 enables the SHA2_256 MAC algorithm.

SFTP2_SHA2_512

bool

1/true

Setting to 1 enables the SHA2_512 MAC algorithm.

SFTP2_TripleDES

bool

1/true

Setting to 1 enables the TripleDES cipher algorithm.

SFTP2_Twofish

bool

1/true

Setting to 1 enables the Twofish cipher algorithm.

SFTP2_TWOFISH128

bool

1/true

Setting to 1 enables the TWOFISH128 cipher algorithm.

SFTP2_TWOFISH256

bool

1/true

Setting to 1 enables the TWOFISH256 cipher algorithm.

SFTP2_UMAC_64_AT_OPENSSH_COM             
v8.0.4 and later)

bool

1/true

Setting to 1 enables the umac-64@openssh.com algorithm.

SFTP2_UMAC_64_ETM_AT_OPENSSH_COM  
(v8.0.4 and later)

bool

1/true

Setting to 1 enables the umac-64-etm@openssh.com algorithm.

SFTP2_UseCompression

bool

1/true

Enable ClientFTP SFTP compression.

SFTP2PrivateKey

string

none

ClientFTP SFTP private key. 4096 characters maximum

SFTP2PublicKey

string

none

ClientFTP SFTP public key. 4096 characters maximum

The following snippet from the ClientFTP log file shows the output when only SFTP2_TWOFISH128 and SFTP2_MD5_96 are enabled:

STATUS:> Host key match found in certificate database -- accepted.

STATUS:> First key exchange completed

Negotiated algorithms:

kex alg: diffie-hellman-group14-sha1

host key alg: ssh-rsa

c2s encr alg: twofish128-cbc

s2c encr alg: twofish128-cbc

c2s mac alg: hmac-md5-96

s2c mac alg: hmac-md5-96

Details
Last Modified: Last Month
Last Modified By: kmarsh
Type: HOWTO
Rated 1 star based on 13 votes.
Article has been viewed 60K times.
Options
Also In This Category
Tags