EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SFTP and certificates

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#7156
Posted: 07/31/2008 09:31:39
by Kevin Donn (Standard support level)
Joined: 08/16/2007
Posts: 20

Is it possible to do certificate based key validation with SFTP? I see that both ElSSHClient and ElSimpleSftpClient seem to have only a single key validation event OnKeyValidate, and the parameter for this is an ElSSHKey which doesn't seem to have any way to access a cert. So it seems that these classes don't support certificate based validation. Am I correct so far?

Now, if I'm correct, is this because SFTP itself doesn't support certificate exchange or is it just because SBB doesn't support it for these protocols?

Thanks,
Kevin Donn
#7157
Posted: 07/31/2008 09:53:34
by Mykola Olshevsky (Basic support level)
Joined: 07/07/2005
Posts: 450

SBB supports SSH x.509 certificate-based public-key algorithms (SSH_PK_X509_SIGN_RSA, SSH_PK_X509_SIGN_DSS).
There is a property TElSSHKey.Certificate, which contains corresponding certificate (when the appropriate algorithm is used).
#7158
Posted: 07/31/2008 10:02:21
by Kevin Donn (Standard support level)
Joined: 08/16/2007
Posts: 20

When I started trying to develop this stuff this morning, I was certain I had seen a Certificate property somewhere, but I didn't see anything about it in the documentation for ElSSHKey. I had probably seen it in the debugger at some point. Maybe I have old docs or the Certificate property is missing from the help file. I think this will get me going though.

Thanks,
Kevin Donn
#7160
Posted: 07/31/2008 10:16:15
by Mykola Olshevsky (Basic support level)
Joined: 07/07/2005
Posts: 450

Yes, this property didn't get into the documentation yet, but this is in our todo list and will be fixed ASAP.
#7162
Posted: 07/31/2008 10:59:45
by Eugene Mayevski (EldoS Corp.)

1) SFTP has no encryption and no authentication. This is just a file transfer protocol. SSH, on top of which SFTP usually runs, provides encryption and authentication.

2) SSH protocol doesn't have a standardized way to use X.509 certificates for SSH authentication. There were attempts to use them, but no standardization document went beyond the first draft.

3) Some servers do support X.509 certificates. So does SecureBlackbox (both on the client side and the server side). If you use search, you will find a couple of articles and forum posts that will answer your questions in details.


Sincerely yours
Eugene Mayevski
#7217
Posted: 08/05/2008 10:13:38
by Kevin Donn (Standard support level)
Joined: 08/16/2007
Posts: 20

First, I should clarify: I'm not trying to authenticate the client with an X.509 certificate. Client authentication is simple username/password. I'm trying to use SBB to connect to a Tectia SSH server (SSH-2.0-6.0.1.10 SSH Tectia Server) and I want to authenticate the server's public key. I have no control over the server. The server team has provided a test server and a production server. I have been authenticating the test server's public key just by checking its FingerprintMD5, but I've been told that the production server has a Verisign certificate, so I would like to authenticate its key by using CAValidate.

In my OnKeyValidate handler I'm checking ServerKey.Certificate and it's always nil. I'm using TElSimpleSFTPClient and the only configuration I'm doing is mostly pulled from the demo app:

AuthenticationTypes:=22;
DownloadBlockSize:=65535;
SocketTimeout:=60000;
UploadBlockSize:=0;
EncryptionAlgorithms[SSH_EA_3DES]:=false;
EncryptionAlgorithms[SSH_EA_DES]:=false;
EncryptionAlgorithms[SSH_EA_BLOWFISH]:=false;
if MSIXControl.Port <> 0 then Port:=MSIXControl.Port;
Address:=MSIXControl.ServerAddr;
Username:=MSIXControl.UserName;
Password:=MSIXControl.Password;
AuthenticationTypes:=AuthenticationTypes and not SSH_AUTH_TYPE_PUBLICKEY;
PublicKeyAlgorithms[SSH_PK_X509_SIGN_RSA]:=true;
PublicKeyAlgorithms[SSH_PK_X509_SIGN_DSS]:=true;
OnKeyValidate:=DoKeyValidate

When DoKeyValidate fires ServerKey.Certificate has always been nil for me. I'm not sure what this means. Does the Tectia server not really have a cert installed? Is the cert not X.509 compliant? Have I not configured TElSimpleSFTPClient properly? What can I do to further diagnose the problem?

Thanks,
Kevin Donn
#7218
Posted: 08/05/2008 10:58:14
by Eugene Mayevski (EldoS Corp.)

To be able to help you further we need to connect to that server. If you can provide information needed to connect, please create a ticket in the helpdesk ( http://www.eldos.com/support/ticket_list.php ).


Sincerely yours
Eugene Mayevski
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.

Reply

Statistics

Topic viewed 2268 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!