Identify SFTP client

0 votes
asked Sep 8, 2016 by Prabhakar (610 points)

I wanted SFTP server to identify specific SFTP client. For e.g. before SFTP client does file upload it can get the current session and issue some command that the SFTP server can recognise. Do you think its a right approach? Are there any techniques that SFTP server can use? Here SFTP client will use rebex library and SFTP server will be in Windriver.

commented Sep 8, 2016 by Lukas Pokorny (126,910 points)
By "specific SFTP client", do you mean "a specific SFTP client software", "a specific SFTP client machine (an instance of the client software)" or something else?
Also, in what ways would the server behave differently based on the specific identity?
commented Sep 8, 2016 by Prabhakar (610 points)
Its a specific SFTP client software that we built with Rebex SFTP client library. There will be other SFTP client software (like Winscp) which will talk to the server (which has SFTP server enabled). When an xml file is sent from our software to server we want the server to know that file was sent from our software and thus checks an xml tag in the file to make business decisions. But when the server receives the xml from Winscp we do not want the server to check the tag. We do configure the SFTP server in Windriver.

1 Answer

0 votes
answered Sep 8, 2016 by Lukas Pokorny (126,910 points)

Many SFTP server and software (including WinSCP) use the initial "welcome message" to make decisions based on the version of software used by the other side of the connection. The welcome message is a string prefixed with "SSH-2.0-" that usually includes the software's version number. In case of Rebex SFTP, this string is "SSH-2.0-RebexSSH_{version}".

We don't know whether Windriver can be configured to behave differently based on different strings, although we know that our SFTP server can (the string is accessible from Authentication event arguments).

However, making business decisions based on this is quite problematic because the welcome message can easily be spoofed or even modified along the way (they are transmitted before a secure channel is established).

A slightly better alternative to this would the vendor-id SFTP extension which is part of the SFTP protocol and is only sent over a secure channel after the user has been authenticated and an SFTP session has been established. Even though we don't support this yet, we can easily add it on demand. However, even this could be easily spoofed in other clients.

A better approach would be to have each client generate a unique private key on installation, send the corresponding public key to a server and use keybased authentication to. However, this is complicated and still far from being hacker-proof.