How To: SFTP Authentication Methods through Sentry

When deploying SFTP one must consider the authentication methods one intends to use.  There are many authentication methods but most implementations focus on basic authentication (username/password) or public key authentication.  For the purposes of this writing we will make use of both.  Sentry provides the ability to make this process seamless and easy.  We will show the following scenarios since Sentry is intended to sit between an SFTP client and an SFTP server:

 

1. Basic Authentication to Basic Authentication

2. Basic Authentication to Public Key Authentication

3. Public Key Authentication to Public Key Authentication

4. Public Key Authentication to Basic Authentication

 

With these scenarios we see that Sentry already provides lots of flexibility to accomplish the needs of just about all implementations one might desire to put in place.

 

First we would like to mention that Sentry comes with SFTP ready to go.  We need to create the following policies while keeping in mind the authentication method we need to implement:

A. Basic Authentication: 

For the purposes of this article we will setup an LDAP policy for end-users connecting to Sentry via SFTP and username/password for Sentry connecting via SFTP to the back-end SFTP server.

   a. LDAP Policy:

                  Access--->User Policies--->LDAP

                  . Click New

                  . Fill in the information mainly the following

  • Policy Name: Forum-LDAP-Server
  • Enable Privilege Access: No
  • Server: ldap.forumsys.com
  • User: cn=read-only-admin,dc=example,dc=com
  • Password: password
  • Root DN: ou=mathematicians,dc=example,dc=com
  • User/group context: Group containing users

                . Click Apply

. Click Test to see if we can connect to the LDAP successfully. You will see the result at the top of the screen.

                . If success click Save. 

image_1.png

b. Username/Password (for the back-end SFTP Server):

                Get an authorized account information that has SFTP privileges on the SFTP Server.

                 

B. Create the SFTP Content Policy:

 

                a. Create a SFTP Listener Policy:

                   Gateway--->Network Policies--->Network Policies

  • Click New
  • Select SFTP and Click Next
  • Select Listener and Click Next
  • Fill in the following info:
    • Name*:               
    • Use Device IP:  
    • Listener IP*:      
    • Listener Port*: 

                                               

  • Check Password for Allowed Authentications
  • Click Apply and Save

image_2.png

                b. Create a SFTP Remote Policy:

                    Gateway--->Network Policies--->Network Policies

  • Click New
  • Select SFTP and Click Next
  • Select Remote and Click Next
  • Fill in the following info for the Back-end SFTP Server:
    • Name*:               
    • Remote Server*:            
    • Remote Port*: 
    • Select Specify Credentials and fill in the username/password of the SFTP account on the back-end server.
  • image_3.png

 

c. Create Content Policy:

                    Gateway--->Content Policies--->XML Policies (or HTML Policies)

  • Click New
  • Name it and click Next
  • Select your SFTP Listener and Remote Policies:
    • Listener Policy:
    • Remote Policy:

image_4.png

You are now ready to SFTP:

 The Client used in this exercise is PSFTP and the back-end Server is BitVise SSH Server.

 The -P, in the command below, is for the port number.  You do not have to setup the normal SFTP port, you can listen on any available port, in this case 122.  Also, the user is an LDAP user that will connect to Sentry first and then Sentry will connect to the back-end server with the credentials provided by that server's administrator:

 

$ ./psftp -P 122 euclid@192.168.1.107

 Connecting for the first time, the PSFTP client will need to agree to save the key supplied by the server so that it knows the server for future connections.  This key is called Known Host Key.

 image_5.png

euclid@192.168.1.107's password: password

 

psftp> ls

Listing directory ./.

p---------   1 0        0          127970 Jun 08 12:15 Less_than_1M_DOC.docx

p---------   1 0        0          282840 Jun 08 12:15 Less_than_1M_EXE.exe

p---------   1 0        0           47156 Jun 08 12:15 Less_than_1M_JPEG.jpg

p---------   1 0        0          671062 Jun 08 12:15 Less_than_1M_PDF.pdf

p---------   1 0        0          156582 Jun 08 12:15 Less_than_1M_TXT.txt

p---------   1 0        0         6132775 Jun 08 12:15 More_than_1M_DOC.docx

p---------   1 0        0         1331024 Jun 08 12:15 More_than_1M_EXE.exe

p---------   1 0        0         7432880 Jun 08 12:15 More_than_1M_PDF.pdf

p---------   1 0        0         4057328 Jun 08 12:15 More_than_1M_TXT.txt

p---------   1 0        0           28824 Jun 08 12:15 SwA_XML_to_SFTP.fsg

psftp> put test.txt

local:test.txt => remote:./test.txt

psftp> ls

Listing directory ./.

p---------   1 0        0          127970 Jun 08 12:15 Less_than_1M_DOC.docx

p---------   1 0        0          282840 Jun 08 12:15 Less_than_1M_EXE.exe

p---------   1 0        0           47156 Jun 08 12:15 Less_than_1M_JPEG.jpg

p---------   1 0        0          671062 Jun 08 12:15 Less_than_1M_PDF.pdf

p---------   1 0        0          156582 Jun 08 12:15 Less_than_1M_TXT.txt

p---------   1 0        0         6132775 Jun 08 12:15 More_than_1M_DOC.docx

p---------   1 0        0         1331024 Jun 08 12:15 More_than_1M_EXE.exe

p---------   1 0        0         7432880 Jun 08 12:15 More_than_1M_PDF.pdf

p---------   1 0        0         4057328 Jun 08 12:15 More_than_1M_TXT.txt

p---------   1 0        0           28824 Jun 08 12:15 SwA_XML_to_SFTP.fsg

p---------   1 0        0              15 Jun 15 09:50 test.txt

psftp> get Less_than_1M_DOC.docx

remote:./Less_than_1M_DOC.docx => local:Less_than_1M_DOC.docx

psftp> ls

Listing directory ./.

p---------   1 0        0          127970 Jun 08 12:15 Less_than_1M_DOC.docx

p---------   1 0        0          282840 Jun 08 12:15 Less_than_1M_EXE.exe

p---------   1 0        0           47156 Jun 08 12:15 Less_than_1M_JPEG.jpg

p---------   1 0        0          671062 Jun 08 12:15 Less_than_1M_PDF.pdf

p---------   1 0        0          156582 Jun 08 12:15 Less_than_1M_TXT.txt

p---------   1 0        0         6132775 Jun 08 12:15 More_than_1M_DOC.docx

p---------   1 0        0         1331024 Jun 08 12:15 More_than_1M_EXE.exe

p---------   1 0        0         7432880 Jun 08 12:15 More_than_1M_PDF.pdf

p---------   1 0        0         4057328 Jun 08 12:15 More_than_1M_TXT.txt

p---------   1 0        0           28824 Jun 08 12:15 SwA_XML_to_SFTP.fsg

p---------   1 0        0              15 Jun 15 09:50 test.txt

psftp> rm test.txt

rm ./test.txt: OK

psftp> ls

Listing directory ./.

p---------   1 0        0          127970 Jun 08 12:15 Less_than_1M_DOC.docx

p---------   1 0        0          282840 Jun 08 12:15 Less_than_1M_EXE.exe

p---------   1 0        0           47156 Jun 08 12:15 Less_than_1M_JPEG.jpg

p---------   1 0        0          671062 Jun 08 12:15 Less_than_1M_PDF.pdf

p---------   1 0        0          156582 Jun 08 12:15 Less_than_1M_TXT.txt

p---------   1 0        0         6132775 Jun 08 12:15 More_than_1M_DOC.docx

p---------   1 0        0         1331024 Jun 08 12:15 More_than_1M_EXE.exe

p---------   1 0        0         7432880 Jun 08 12:15 More_than_1M_PDF.pdf

p---------   1 0        0         4057328 Jun 08 12:15 More_than_1M_TXT.txt

p---------   1 0        0           28824 Jun 08 12:15 SwA_XML_to_SFTP.fsg

psftp>

 

psftp> exit

Using username "euclid".

$ ls Less_than_1M_DOC.docx

Less_than_1M_DOC.docx

 

This concludes the SFTP setup where Basic Authentication is used end-to-end via Sentry.

C. Basic Authentication to Public Key Authentication

In the first exercise above we have setup Basic Authentication incoming into Sentry and the same outgoing to the back-end SFTP Server.

In this exercise we will only need to setup Public Key Authentication from Sentry to Back-end SFTP Server.

Public Key Authentication is where keys are used for the purposes of authentication and encryption.  The client maintains the private and public key pair while the server is supplied with the same public key.  Keys normally are created on the client but they don’t have to.  In our case here we will use Sentry to create the SSH key pair and supply the public key to the Back-end SFTP Server.

 

. Create SSH key pair

. Download the public key and distribute to the Back-end SFTP Server

 

i. Create the SSH Key pair:

        Go to Resources--->PKI--->Keys

                                Click New

                                Select OpenSSH Key Pair and Click Next and fill in the following info:

  • Name*:               
  • Algorithm:
  • Key Size (in bits):             
  • Passphrase:       

Note:  You can leave the Passphrase blank, but if you choose to use a Passphrase then you will need to supply it even when doing Public Key Authentication.

image_6.png

ii.    Download the public key and send to the Back-end SFTP Server:

       Go to Resources--->PKI--->Keys

                   Click on the public key and Click OpenSSH hyperlink to download:

                   Download:       OpenSSH

                   Transfer the Key to Back-end Server and place it where this Server saves the public keys

image_7.png

iii.   Configure Sentry to use public key authentication to the Remote SFTP Server:

(This is a one-step change to the Remote SFTP Policy) 

. Go to Gateway--->Network Policies and click to open you SFTP Remote Policy

. In the Authentication section select Public Key Authentication, enter the SFTP user to the Back-end SFTP Server and select the key to use:

                   Confirm Password:      

  • Public Key Authentication
  • Username*:      
  • Remote SSH Key:            

                  Apply and Save

image_8.png

You are now ready to use Basic Authentication to Sentry and Sentry in turn will use Public Key Authentication to the Back-end SFTP Server.

 

$ ./psftp -P 122 euclid@192.168.1.107

euclid@192.168.1.107's password: password

 

psftp> ls

Listing directory ./.

p---------   1 0        0          127970 Jun 08 12:15 Less_than_1M_DOC.docx

p---------   1 0        0          282840 Jun 08 12:15 Less_than_1M_EXE.exe

p---------   1 0        0           47156 Jun 08 12:15 Less_than_1M_JPEG.jpg

p---------   1 0        0          671062 Jun 08 12:15 Less_than_1M_PDF.pdf

p---------   1 0        0          156582 Jun 08 12:15 Less_than_1M_TXT.txt

p---------   1 0        0         6132775 Jun 08 12:15 More_than_1M_DOC.docx

p---------   1 0        0         1331024 Jun 08 12:15 More_than_1M_EXE.exe

p---------   1 0        0         7432880 Jun 08 12:15 More_than_1M_PDF.pdf

p---------   1 0        0         4057328 Jun 08 12:15 More_than_1M_TXT.txt

p---------   1 0        0           28824 Jun 08 12:15 SwA_XML_to_SFTP.fsg

psftp>

 

From the System Log on Sentry you can see that the end user authenticates to LDAP while Sentry uses Public Key Authentication to the Back-end Server:

 

11:07:23.439       Received SSH password authentication request for 'euclid' on/192.168.1.107:58311

11:07:23.439       Authenticating using 'Local users login module'

11:07:23.439       User 'euclid' not found.

11:07:23.439       Authenticating using 'LDAP login module'

11:07:23.439       Found user 'euclid' in cache for LDAP policy 'SFTP-LDAP-Policy'.

11:07:23.439       Succeeded to authenticate user 'euclid' using LDAP policy 'SFTP-LDAP-Policy'

11:07:23.439       ACL check skipped - no ACL associated with network policy

 

11:07:23.440       Document entered Communications Layer

11:07:23.440       Handling command 'login'

11:07:23.440       Request document:

11:07:23.440       No TaskListGroup configured, document will not be processed

11:07:23.440       No TaskListGroup configured, document will not be processed

11:07:23.441       Sending remote server a processed request:

                      Method: POST

                      Remote...

11:07:23.460       Connecting to SFTP server at 192.168.1.102:22

11:07:23.460       Opening SFTP connection to 192.168.1.102:22

11:07:23.595       Authenticating user 'sftp_user' to 192.168.1.102:22 using publickey method

0 Comments

Please sign in to leave a comment.