Skip to Content

SFTP Known Hosts

Version 28.1 by Erik Bakker on 2024/06/20 09:19

In an earlier microlearning, we discussed how to connect to an SFTP from eMagiz. Later on we zoomed in on an alternative security method to authenticate yourself at the SFTP. More on this can be found in this microlearning. In this microlearning, we want to expand our knowledge and look at a way to store the unique fingerprint of the SFTP to avoid that someone else can pretend to be the SFTP when you want to send data (i.e. a "man in the middle attack").

Should you have any questions, please get in touch with academy@emagiz.com.

1. Prerequisites

  • Basic knowledge of the eMagiz platform
  • Novice course on File-based connectivity

2. Key concepts

This microlearning is about SFTP known host files.

By SFTP known hosts, we mean: Making sure that we are certain that we connect to the correct SFTP to prevent data theft as a result of a "man in the middle" attack.

  • Each SFTP has a unique fingerprint that identifies the SFTP.
  • To prevent a "man in the middle" attack, this fingerprint needs to be stored client side.
  • There are two distinct methods to generate the known hosts file.

3. SFTP Known Hosts

In this microlearning, we want to expand our knowledge and look at a way to store the unique fingerprint of the SFTP to avoid that someone else can pretend to be the SFTP when you want to send data (i.e. a "man in the middle attack"). To retrieve the unique fingerprint of an SFTP you first need to connect to the SFTP in question. This way you can retrieve the unique fingerprint and secure it in a file for future use to prevent the "man in the middle attack".

There are two distinct ways of retrieving and storing the unique fingerprint of the SFTP in a "known hosts file". The first option is portal based and the second option is command line based. The preferred option is the portal based one. Do note that the first option only works if the SFTP is publicly accessible without any IP restrictions.

3.1 Known Hosts File Generation - Portal

To configure the preferred option we start at the flow level in Create. 

3.2 Known Hosts File Generation - Command Line

The secondary option, when there are IP restrictions, provides you with the option to execute several commands after gaining access to the correct server to generate the known hosts file. These steps are detailed below.
  

  • Gain access to the server in question from which you can reach the SFTP.
  • Execute the following command (compatible with both Linux and Windows): ssh-keyscan -p [port] [host] > [known-hosts target path]
    • An example would be: ssh-keyscan -p 22 localhost > C:\tmp\generated_known_hosts
  • Navigate to the generated file and open it. The file should contain one or more lines in the format hostname/ip key-type value
    e.g. 127.0.0.1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAICZPI5pQ6PSXgS4QOPsai2QjC2EcVjFejvUM5RMYOmwbwW
  • Open eMagiz and navigate to the flow where the file is needed.
  • Upload the known_hosts file as a flow resource, and click on the "eye" icon to see its unique name.
  • Define a property for the known hosts field in the SFTP (caching) session factory.
    • Provide a value for the property upon deploying the release that follows the following structure: classpath:emagiz-resources/[filename]

4. Key takeaways

  • Each SFTP has a unique fingerprint that identifies the SFTP.
  • To prevent a "man in the middle" attack, this fingerprint needs to be stored client side.
  • There are two distinct methods to generate the known hosts file.

5. Suggested Additional Readings

If you are interested in this topic and want more information, please read the release notes provided by eMagiz. Furthermore, check out these links: