How to add security with certificates in Rebex SFTP? Novice user...

Question

Hello All,

I'm an extremely novice user of Linux, SSH, etc. That's why I'm using this wonderful app to use a simple, personal SFTP for myself. Unfortunately, I cannot figure out how to properly add a layer of certificate security on top of my password protection. Applications like FileZilla server are friendly and provide all the tools via the UI to generate a client certificate to use, while enabling it on the server side. For Rebex, I'm unclear of how to put it together.

Can someone explain this to me in a very, very novice manner, step by step? I understand there is a directory for keys in ProgramData. However, how do I use this and complete the process? When I go to enable a certificate required in the user management screen and try to pick public key from this directory I get an error for not being able to load it. There is a reference to SSH generator in the documentation that I cannot wrap my head around either.

Can someone please help me add this MFA security on my folders? That is, password and a certificate/key authentication in a step by step way? I would really appreciate it! Thank you!

Answer 1

Hello,

Basically, you need to put user's public key to the server and asociate this public key with a user account. When connecting from a client side, you need to use private key to authenticate.

To request clients to authenticate using password and public key in Buru SFTP Server, you have to set both password and public key authentication method to required. It can be done in Web Administration page, section users, then pick up a user who should use password and public key together. Then choose required for both authentication method. In public key authentication section you have to choose a public key file for which the client possess a private key and will use to authenticate.

So you need to create private/public key pair, for example using ssh-keygen command line tool. Just run ssh-keygen from your command promp. Then follow the instruction the program gives you. Use something like C:\MyKeys\BuruClientKey, then in C:\MyKeys you will find both private (file without an extension) and public key (file with .pub extension). When enabling public key authentication in Buru SFTP Server Web Administration, choose this .pub key file as a public key.

On the client side, you have to prove that the public key on the server is yours by using private key part of the key pair. For example, WinSCP client can authenticate using both password and private key.

Please make sure that a public key is copied to the server and is associated with correct user account. Then make sure when connecting from a client it will use proper private key that correspond with the public key on the server.

Comments

Thank you again Pavel! I was able to follow your instructions, and at first, I used putty-gen for the keypairs. Later on, I figured out that ssh-keygen was simply a command I could fire from my Windows 10 command prompt. I still stuck to putty-gen for my testing cause the UI allowed for easy setting of the algorithm to use, paraphrase, etc.

After loading the public key in Buru and enabling the requirement, and a few bumps and bruises, I was able to log into the SFTP using WinSCP! However, using my FolderSync client and another mobile FTP client, I could not for the life of me log into the SFTP :'(!

Do you think it could be a matter of those clients not supporting the algorithm I used for the key pairs? I used, ECDSA.

Appreciate your amazing assistance!

---

Hello,

I'm glad I could help. Please note that Buru SFTP Server communicates over SSH/SFTP protocol, FTP protocol is another one. Please review SFTP and FTP differences at https://www.sftp.net/sftp-vs-ftps. You have to use SFTP client to connect to Buru SFTP Server.

Ad ECDSA key pair, I tried ECDSA with 512 length key with Bitvise SSH Client. It turned out that Bitvise client can use my key in OpenSSH format (generated by ssh-keygen command line tool), but failed to load same key saved in PuTTY format. So yes, your other applications can have difficulties with your ECDSA keys. You can try RSA key pair to start with. Please remember that you need your private key on your client mobile device.

---

Indeed Pavel, I'm diberately trying to use SFTP, not FTP.

Thank you for your further testing, I really appreciate all the help you give me. I chose ECDSA because out of the ssh-keygen article you pasted for me sort of recommended it as the best kind to use. However, if you're saying it'll only work in SSH, then I may be forced to use RSA. The challenge is, I'm trying to use a Folder syncing mobile app called FolderSync Pro to connect to this SFTP Server, so it's hard to completely understand (for me) whether that app can communicate as SSH over PuTTY?

I'll try with RSA, I guess some security is better than no security

---

Hello,

I just tried a SSH client to test both key formats with ECDSA algorithm. And that particular client supports only OpenSSH key format. When I used PuTTY key format of the same key, it failed to load it. So I could confirm that some clients do not support ECDSA algorithm, or that support of a key is dependant on the format a key is saved to. Keys with RSA algorithm are common, that is why I recommended to you to test that. On FolderSync page https://www.tacit.dk/foldersync/help/#sftp I found that it should support password and key authentication. If you have troubles with this client, please contact its vendor for asistance how to set it up since you confirmed us that you can connect with other client (WinSCP) as you nedded.

---

Thank you Pavel, I'll try to keep it vanilla and go for RSA basic right now. Thank you for all your help!

---

Hey Pavel, good news! I was able to use ssh-keygen to generate and SSH key pair and use authenticate successfully with Rebex + FolderSync Pro! Looks like PuTTY is not supported by the client... I've let the developer know to perhaps include this in his documentation.

Thanks to your invaluable help, my very personal solution for SFTP is ready to go!

Last optimization question that perhaps you can help me with is... Is there anything I can do with Rebex or my Windows Pro server machine to somehow increase the rate of transfer on my uploads and downloads? I have a 1 gig fiber internet connection at home, but top out my max file upload speed at ~11 - 12 mb/sec. Is this completely client or my server hardware limitation? Or can I do in Rebex on my Windows machine to improve this?

Thank you again!

---

Hi,

12 MB/sec (assuming mega-bytes, not mega-bits) is not unexpected when transferring many small files. You can try few things:
- does your client support transferring multiple files in parallel?
- try enforcing different encryption suite. AES-GCM and AES-CTR usually offer the highest throughput.
- put the files into archives before transferring, if possible