Skip to Content

Changes for page SFTP Known Hosts

Last modified by Danniar Firdausy on 2024/09/18 20:35
From version 34.14
edited by Danniar Firdausy
on 2024/09/18 20:35
Change comment: There is no comment for this version
To version 18.1
edited by Erik Bakker
on 2022/06/10 08:38
Change comment: Imported from XAR

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,0 @@
1 -SFTP Known Hosts
Parent
... ... @@ -1,1 +1,0 @@
1 -Main.eMagiz Academy.Microlearnings.Intermediate Level.File based connectivity.WebHome
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.dfirdausy
1 +XWiki.ebakker
Default language
... ... @@ -1,1 +1,0 @@
1 -en
Content
... ... @@ -1,9 +1,13 @@
1 1  {{container}}{{container layoutStyle="columns"}}(((
2 += SFTP Security =
2 2  
3 -In our previous [[microlearning>>Main.eMagiz Academy.Microlearnings.Intermediate Level.File based connectivity.intermediate-file-based-connectivity-sftp-connectivity||target="blank"]], we explored how to connect to an SFTP server using eMagiz and discussed an alternative security method for authentication. Now, we are going to delve deeper into securing your SFTP connections by storing the server’s unique fingerprint to protect against "man in the middle" attacks. This microlearning will guide you through the process of generating and managing a "known hosts" file to ensure you're always connecting to the correct SFTP server.
4 +In the last microlearning, we discussed how to connect to an SFTP from eMagiz. In this microlearning, we want to expand our knowledge and look at a more complex security configuration when connecting to SFTP instances. The configuration we are talking about is the private key configuration.
4 4  
5 5  Should you have any questions, please get in touch with [[academy@emagiz.com>>mailto:academy@emagiz.com]].
6 6  
8 +* Last update: August 25th, 2021
9 +* Required reading time: 9 minutes
10 +
7 7  == 1. Prerequisites ==
8 8  
9 9  * Basic knowledge of the eMagiz platform
... ... @@ -11,78 +11,64 @@
11 11  
12 12  == 2. Key concepts ==
13 13  
14 -This microlearning is about SFTP known host files.
15 -* By SFTP known hosts, we mean: Making sure that we are certain that we connect to the correct SFTP to prevent data theft as a result of a "man in the middle" attack.
18 +This microlearning is about SFTP security.
16 16  
17 -== 3. SFTP Known Hosts ==
20 +By SFTP security, we mean: Making sure that the SFTP we connect to knows that we are indeed eMagiz
18 18  
19 -In this microlearning, we want to expand our knowledge and look at a way to store the unique fingerprint of the SFTP to avoid that someone else can pretend to be the SFTP when you want to send data (i.e. a "man in the middle attack"). To retrieve the unique fingerprint of an SFTP you first need to connect to the SFTP in question. This way you can retrieve the unique fingerprint and secure it in a file for future use to prevent the "man in the middle attack".
22 +* Private key is unique per client
23 +* Private key should only be known to the client
24 +* Public key should be known to the SFTP (server), so they trust us when we set up the communication
25 +* A private key comes with a passphrase
20 20  
21 -* Each SFTP has a unique fingerprint that identifies the SFTP.
22 -* To prevent a "man in the middle" attack, this fingerprint needs to be stored client side.
23 -* There are two distinct methods to generate the known hosts file.
24 24  
25 -There are two distinct ways of retrieving and storing the unique fingerprint of the SFTP in a "known hosts file". The first option is portal based and the second option is command line based. The preferred option is the portal based one. Do note that the first option only works if the SFTP is **publicly** accessible without any IP restrictions.
26 26  
27 -=== 3.1 Known Hosts File Generation - Portal ===
29 +== 3. SFTP Security ==
28 28  
29 -To configure the preferred option we start at the flow level in Create. Once the flow is opened please enter "Start Editing" mode and navigate to the Support object tab in the right panel. In here open the SFTP (caching) session factory that is used to connect to the SFTP.
31 +In the last microlearning, we discussed how to connect to an SFTP from eMagiz. In this microlearning, we want to expand our knowledge and look at a more complex security configuration when connecting to SFTP instances. The configuration we are talking about is the private key configuration.
30 30  
31 -[[image:Main.Images.Microlearning.WebHome@intermediate-file-based-connectivity-sftp-known-hosts--sftp-session-factory-start.png]]
33 +* Private key is unique per client
34 +* Private key should only be known to the client
35 +* Public key should be known to the SFTP (server), so they trust us when we set up the communication
36 +* A private key comes with a passphrase
32 32  
33 -Once you see the configuration of the component please define a property for the known hosts field. This property will later on be used to generate and store the known hosts file while in Deploy.
38 +If you are looking for some introductory reading into certificates, please check this [microlearning](novice-securing-your-data-traffic-what-are-certificates.md).
34 34  
35 -[[image:Main.Images.Microlearning.WebHome@intermediate-file-based-connectivity-sftp-known-hosts--sftp-session-known-hosts.png]]
40 +As the private key is yours, you can ask a trusted party to generate the key, or you could create it yourself. The latter part happens a lot when connecting to an SFTP. You could use a tool like PuttyGen to achieve this. As a result, you will have a keypair. The private key should be kept safely with you in eMagiz, and you need to share the public key with the SFTP server party. In this microlearning, I will not explain how PuttyGen works in detail. Instead, we will focus on the part in eMagiz. In eMagiz, we need to refer to the key file (linked under Resources), and we need to refer to the password we use to save our key file securely.
36 36  
37 -When you are satisfied with the configuration you can save it, press "Stop editing", and create a new version of the flow. Now that we have a new version of the flow we navigate to the Deploy phase to trigger eMagiz to generate and store the known hosts file correctly on runtime level. To do so we need to create the property (with the correct name) in Deploy. If you are unsure on how to create properties in the first place, please check out this [[property management>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course Platform.crashcourse-platform-deploy-property-management-new.WebHome||target="blank"]] microlearning.
42 +[[image:Main.Images.Microlearning.WebHome@intermediate-file-based-connectivity-sftp-security--private-key-config.png]]
38 38  
39 -When defining the value of the property we now have an additional option in the "Data type" dropdown called "Known hosts String". Once you have selected this a cogwheel icon will apear next to the value field.
44 +Note that the use of a password and a private key are mutually exclusive. So you need to either provide a password or a private key for authentication. In the help text provided by eMagiz, you can see how the reference to the key file should be made.
40 40  
41 -[[image:Main.Images.Microlearning.WebHome@intermediate-file-based-connectivity-sftp-known-hosts--known-hosts-string-property-start.png]]
46 +When you have configured these settings, you have finished the configuration in eMagiz. Now you could test whether the configuration is set up correctly between eMagiz and the SFTP. If this is not the case, eMagiz will notify you via the Manage phase, either as an error message or a log entry.
42 42  
43 -Pressing this cogwheel icon will open a new pop-up in which you need to define the port and the host you want to connect to.
48 +Using this setting gives the server the option to verify if the communication request came from eMagiz (or at least from the party that holds the private key of eMagiz). This is an additional security measure to ensure data integrity and quality.
44 44  
45 -[[image:Main.Images.Microlearning.WebHome@intermediate-file-based-connectivity-sftp-known-hosts--known-hosts-string-property-config-empty.png]]
46 46  
47 -After filling in the correct values press the button called "Generate known hosts string" to make sure that eMagiz will generate the file for you. As a result, eMagiz will show you the correct string that defines the known host.
48 48  
49 -[[image:Main.Images.Microlearning.WebHome@intermediate-file-based-connectivity-sftp-known-hosts--known-hosts-string-property-generated.png]]
52 +== 4. Assignment ==
50 50  
51 -{{info}}In case you have multiple SFTP connections within your flow (or runtime) you should use distinct property placeholder for each SFTP to utilize this functionality.{{/info}}
54 +Check within your project(s) whether an SFTP connection is secured with the help of private key construction.
55 +This assignment can be completed with the help of the (Academy) project that you have created/used in the previous assignment.
52 52  
53 -=== 3.2 Known Hosts File Generation - Command Line ===
57 +== 5. Key takeaways ==
54 54  
55 -The secondary option, when there are IP restrictions, provides you with the option to execute several commands after gaining access to the correct server to generate the known hosts file. These steps are detailed below.
56 -
57 -* Gain access to the server in question from which you can reach the SFTP.
58 -* Execute the following command (compatible with both Linux and Windows): {{code}}ssh-keyscan -p [port] [host] > [known-hosts target path]{{/code}}
59 -** An example would be: {{code}}ssh-keyscan -p 22 localhost > C:\tmp\generated_known_hosts{{/code}}
60 -* Navigate to the generated file and open it. The file should contain one or more lines in the format {{code}}hostname/ip key-type value
61 -e.g. 127.0.0.1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAICZPI5pQ6PSXgS4QOPsai2QjC2EcVjFejvUM5RMYOmwbwW{{/code}}
62 -* Open eMagiz and navigate to the flow where the file is needed.
63 -* Upload the known_hosts file as a flow resource, and click on the "eye" icon to see its unique name.
64 -* Define a property for the known hosts field in the SFTP (caching) session factory.
65 -** Provide a value for the property upon deploying the release that follows the following structure: {{code}}classpath:emagiz-resources/[filename]{{/code}}
59 +* Private key is unique per client
60 +* Private key should only be known to the client
61 +* Public key should be known to the SFTP (server), so they trust us when we set up the communication
62 +* A private key comes with a passphrase
66 66  
67 -== 4. Key takeaways ==
68 68  
69 -* Each SFTP server has a unique fingerprint that serves as its identifier.
70 -* To protect against "man in the middle" attacks, you must securely store this fingerprint on the client side.
71 -* There are two methods for generating and managing the known hosts file: a portal-based approach and a command-line approach. The portal-based method is preferred for publicly accessible SFTP servers without IP restrictions.
72 72  
73 -== 5. Suggested Additional Readings ==
66 +== 6. Suggested Additional Readings ==
74 74  
75 75  If you are interested in this topic and want more information, please read the release notes provided by eMagiz. Furthermore, check out these links:
76 76  
77 -* [[Crash Course (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.WebHome||target="blank"]]
78 -** [[Crash Course Platform (Navigation)>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course Platform.WebHome||target="blank"]]
79 -*** [[Property Management (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course Platform.crashcourse-platform-deploy-property-management-new.WebHome||target="blank"]]
80 -* [[Intermediate Level (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Intermediate Level.WebHome||target="blank"]]
81 -** [[File based connectivity (Navigation)>>doc:Main.eMagiz Academy.Microlearnings.Intermediate Level.File based connectivity.WebHome||target="blank"]]
82 -*** [[SFTP Connectivity (Explanation)>>Main.eMagiz Academy.Microlearnings.Intermediate Level.File based connectivity.intermediate-file-based-connectivity-sftp-connectivity||target="blank"]]
83 -*** [[SFTP Security (Explanation)>>Main.eMagiz Academy.Microlearnings.Intermediate Level.File based connectivity.intermediate-file-based-connectivity-sftp-security||target="blank"]]
84 -* [[Known Hosts (Search Results)>>url:https://docs.emagiz.com/bin/view/Main/Search?sort=score&sortOrder=desc&highlight=true&facet=true&r=1&f_space_facet=0%2FMain.&l_space_facet=10&f_type=DOCUMENT&f_locale=en&f_locale=&f_locale=en&text=%22known+hosts%22||target="blank"]]
85 -* [[Known Hosts Files explained (External)>>https://stackoverflow.com/questions/33243393/what-is-actually-in-known-hosts||target="blank"]]
86 -* [[SFTP Session Factory (External)>>https://docs.spring.io/spring-integration/docs/2.2.6.RELEASE/reference/html/sftp.html#sftp-session-factory||target="blank"]]
70 +* https://docs.spring.io/spring-integration/docs/2.2.6.RELEASE/reference/html/sftp.html#sftp-outbound
71 +* https://docs.spring.io/spring-integration/docs/2.2.6.RELEASE/reference/html/sftp.html#sftp-session-factory
72 +* https://www.2brightsparks.com/resources/articles/sftp-authentication.html
87 87  
74 +== 7. Silent demonstration video ==
75 +
76 +As this is a more theoretical microlearning, there is no video.
77 +
88 88  )))((({{toc/}}))){{/container}}{{/container}}