Rebex SFTP - Target Server Change

0 votes
asked Apr 11 by Sibi87 (130 points)

Hi,

We are currently using Rebex in our .NET Web server to sFTP a daily file to a Unix server.

The target server is being upgraded to a new server.
There is no change in the DNS name of the server and the Rebex SSH public key has been copied over to the new Unix server.
But we want to manually test the SSH key setup and transmit a test file before go-live.

Is there a way we could manually test the SSH key setup?

Applies to: Rebex SFTP, File Server

1 Answer

+1 vote
answered Apr 11 by Lukas Pokorny (92,790 points)

To test this manually, consider using the SftpWinFormClient sample app. It supports public key authentication.

Alternatively, use a single-purpose console application consisting of Sftp.Connect/Sftp.Login/Sftp.GetList calls (something like our SFTP public key authentication code snippet).

In both cases, the application must have access to a private key corresponding to a public key known to the SFTP/SSH server. This could either be the same key you are going to use in your .NET Web app, or another one that could be disabled later.

commented Apr 13 by Sibi87 (130 points)
Hi Lukas,

Thank you for your reply. Unfortunately we do not have privilege to install or make any code changes in the server in which Rebex is installed.

Is there anyway we could test the Rebex sFTP connection by running commands on the command prompt? (Similar to how we do for normal Unix sFTP transmissions)
commented Apr 16 by Lukas Pokorny (92,790 points)
You don't have to make any code changes in the server in order to use the SftpWinFormClient sample app, and the same applies to a single-purpose console application consisting of Sftp.Connect/Sftp.Login/Sftp.GetList calls. Both of these tests are client-side. Using the SftpConsoleClient sample (https://www.rebex.net/sample/sftp-console-client/) is yet another option and it's a command-line app.
commented Apr 18 by Sibi87 (130 points)
Hi Lukas,

Thank you for your response. We will test as per your suggestion.
 Does Rebex sFTP use a known_hosts file ?  (to add the hosts it connects to via SSH for the first time)If so, could you provide me the default path where this file will be available? We want to see if we can add our new server to the known_hosts file in case we are unable to manually test the SSH setup.
commented Apr 18 by Lukas Pokorny (92,790 points)
Rebex SFTP doesn't support known_hosts file. Our users are supposed to verify the server public key themselves, possibly using a known_hosts file. Please check out https://www.rebex.net/sftp.net/features/security.aspx#verify-server-key for additional information.
commented Apr 18 by Sibi87 (130 points)
Hi Lukas,

Thank you for your response.In our scenario, we are transmitting the file to a Unix server using Rebex sFTP private key/public key authentication.

Below is a snippet of how we are connecting and transmitting files to the target unix server:

sftp.Connect(sftpServerHostName);
sftp.Login(username, privateKey);
sftp.PutFile(Path,FileName);

We have now copied the public key to a new Unix server. We are not using any of the server fingerprint/ public key verification commands which you have listed in the previous comment.
So when the file is transmitted to the new Unix server , technically, the transmission should work without any issues correct?

In the security page, it is mentioned that "Server verification is done by checking the server's public key and its signature.
The signature is validated by Rebex SFTP automatically but it's up to you to check the server's public key (or fingerprint)"

Will this Rebex sFTP signature validation detect that the connection is being established with a new Unix server (Eventhough the public key is available on the new server and the server hostname is unchanged) and stop the transmission?
commented Apr 19 by Lukas Pokorny (92,790 points)
Rebex SFTP would only stop the transmission on invalid signature. It does not detect public key mismatch. This essential check is the responsibility of custom applications.

During the signature validation, Rebex SFTP just validates the signature. This ensures that the SFTP/SSH server is in fact in possession of a private key corresponding to its public key it presented to the client.

However, this does NOT ensure that public key is correct, and it does NOT ensure that the public key is the same as during previous connections with the same server hostname. In order to do this, you need some kind of a database or persistent storage (such as known_hosts file), but this is outside the scope of Rebex SFTP and its the responsibility of your application to ensure the public key presented by the server is acceptable.
...