Occasionally our customers ask if it’s possible to implement some form of one-time password (OTP) authentication for their SFTP users. Considering the complexity of the SSH authentication scheme, such task is definitely not trivial. To ease the process, Syncplify.me Server! V5 adds two new event-handlers and several functions to the scripting framework. This article explains how to use them to accomplish OTP authentication over SFTP. Continue reading
We have just released version 4.1.0 of our Syncplify.me Server! software. This version features the following improvements:
- Added: support for MongoDB authentication and specific utility to configure it (read how to use it here)
- Fixed: small memory leak in one of the password encryption functions
Warning: upgrading to 4.1.0 from any version prior to 4.0.34 will invalidate your license, so please if you are a customer – before you upgrade – contact us to request a license reset.
Note: if after the update you notice any unexpected behavior in the web interface, just hit Ctrl-F5 in your browser; that will force the browser to reload the page as well as all back-end scripts and update the ones that may have been cached from previous versions of the software.
As usual you can download this new release from our website.
The most significant improvement introduced by Syncplify.me Server! v4.1 is the ability to use MongoDB’s authentication. As explained in a previous KB article, our deployment of MongoDB was secure even without authentication, but keeping in mind all possible scenarios our development team has worked hard to add direct support to MongoDB’s native authentication into our software. This article explains how to use the new MongoDB Authentication Utility (installed along with Syncplify.me Server! v4.1+) to enable/disable this feature as needed.
The procedures outlined in this article are suitable for all single-node Syncplify.me Server! deployments. High-Availability (HA) deployments will require a little more work. Continue reading
In light of the recent news regarding ransomware targeting MongoDB, we would like to inform all of our users and customers that we are actively working to add support for MongoDB’s authentication directly inside our software.
In the meantime, though, it is very important to understand that:
- set aside the hype, a good network security model already addresses 99% of all the issues of this type (DB-connectivity related)
- Syncplify’s specific MongoDB instance uses port 28038 (instead of the standard 27017) and is therefore not targeted by the above mentioned ransomware
- Syncplify’s specific MondoDB instance only accepts requests from localhost (127.0.0.1) unless you have explicitly created a Windows Firewall rule
Because of the above reasons we believe that all Syncplify.me Server! instances deployed in non-HA mode are safe unless the network and Windows Firewall configuration has been altered by the users/customers themselves.
For HA (high-availability) instances, we do strongly recommend our users/customers to make sure their network firewall and Windows Firewall rules only allow connections to the DB server(s) from the machines running the SFTP front-end nodes. No other machine should be allowed to connect to your DB server(s).
This said, we want to reassure everyone – once again – that we are also actively working (with high priority) to add MongoDB authentication directly into our software.
Note: in order to use the code posted in this article you need to be running at least version 4.0.16 or greater of Syncplify.me Server!
As you all know, Syncplify.me Server! already supports its own internal users, as well as Windows and Active Directory users (and groups, depending on the license type). Yet, some of our customers need to implement totally custom authentication methods, often based on their own user databases.
In this article we will show one way to do so. This is clearly just meant to serve as an example, and real-life scenarios require some further customization to the DB and the script posted here. But it’s a fairly decent starting point.
So, the background scenario for this example is:
- our users’ authentication data are stored in a Microsoft(R) Access database
- in our DB, each user is associated to a “category” (in this case his/her department: sales, marketing, …)
- for the sake of this example, all users’ passwords are set to “password” (without quotes)
- the script is pretty sophisticated, because besides authenticating the user, it will load a user profile that belongs to the “category” of the user from the main Syncplify.me Server! user-base
So let’s start taking a look at our user database: Continue reading
Our users are aware that old Syncplify.me Server! versions (from 1.0 to 3.x) used to support only a single host key, and it had to be an RSA key.
As of version 4.0, though, Syncplify.me Server! supports RSA, DSA, and ECDSA host keys, and it support multiple (unlimited) host keys per virtual server.
The addition of DSA keys was mostly driven by the fact that some of our customers possess legacy DSA host/server keys that they are required to use, in order for certain client applications to work properly. The addition of ECDSA host keys instead is a truly remarkable new feature, and to understand why just check out the comparison table here below: Continue reading
We have already talked about the SSH Server Key, which is used to verify the server’s identity and to negotiate the security (hmac/encryption) parameters. In this article, instead, we want to explain how to use PKI to authenticate users in Syncplify.me Server!
First of all it is important to understand that – unlike the Server Key – these user-specific key pairs are not used for encryption, but only and exclusively to authenticate users, thus to verify their identity and decide whether to let them log into the server or not.
Authenticating users via PKI certainly grants a much higher degree of security that simply using a password, and is therefore a highly recommended authentication method. Continue reading
As many of you already know, for security reasons there is no anonymous user in Syncplify.me Server!, and that is a design choice our team made long time ago in order to reduce the potential attack surface of our software.
Yet, some of our customers have requested if it is possible to configure a user profile to behave as an anonymous-like one. Good news! If you are running either one of our “Plus” versions, you can! Here is how. Continue reading
This article covers the interaction between the client and Syncplify.me Server! in case of Active Directory authentication, and explains how auth-data sent by the client is interpreted by the server.
For the sake of our example we have set up a Windows Server 2012 R2 virtual machine, and created the “syncplify.local” domain (totally made up, you can use your own domain name of course). We have then created an AD group called “SFTP Users” (again you can create your own groups) and a couple users: “testuser” and “groupuser”. The testuser profile is only member of the “Domain Users” group, while the groupuser profile is member of “Domain Users” as well as of “SFTP Users”.
Important: if you’re using Syncplify.me Server! v4.0 or greater, please make sure you also carefully read this article before you continue.
Then we have created the two virtual profiles in Syncplify.me Server! with the usernames exactly as you see them in the picture here below:
Syncplify.me Server! also supports authentication for Active Directory groups. If you have several people who must share the same FTP(S)/SFTP server configuration, then putting them in the same AD group may greatly simplify your configuration.