How to: SFTP authentication via one-time passwords (OTP)

Syncplify.me Server! version: 5.0.0+

Occasionally our customers ask if it’s possible to implement some form of one-time password (OTP) authentication for their SFTP users. Considering the complexity of the SSH authentication scheme, such task is definitely not trivial. To ease the process, Syncplify.me Server! V5 adds two new event-handlers and several functions to the scripting framework. This article explains how to use them to accomplish OTP authentication over SFTP. Continue reading

Syncplify.me Server! v4.1.0 released

We have just released version 4.1.0 of our Syncplify.me Server! software. This version features the following improvements:

  • Added: support for MongoDB authentication and specific utility to configure it (read how to use it here)
  • Fixed: small memory leak in one of the password encryption functions

Warning: upgrading to 4.1.0 from any version prior to 4.0.34 will invalidate your license, so please if you are a customer – before you upgrade – contact us to request a license reset.

Note: if after the update you notice any unexpected behavior in the web interface, just hit Ctrl-F5 in your browser; that will force the browser to reload the page as well as all back-end scripts and update the ones that may have been cached from previous versions of the software.

As usual you can download this new release from our website.

Ensuring Syncplify’s MongoDB instance safety

Syncplify.me Server! version: 4.0.0+

In light of the recent news regarding ransomware targeting MongoDB, we would like to inform all of our users and customers that we are actively working to add support for MongoDB’s authentication directly inside our software.

In the meantime, though, it is very important to understand that:

  • set aside the hype, a good network security model already addresses 99% of all the issues of this type (DB-connectivity related)
  • Syncplify’s specific MongoDB instance uses port 28038 (instead of the standard 27017) and is therefore not targeted by the above mentioned ransomware
  • Syncplify’s specific MondoDB instance only accepts requests from localhost (127.0.0.1) unless you have explicitly created a Windows Firewall rule

Because of the above reasons we believe that all Syncplify.me Server! instances deployed in non-HA mode are safe unless the network and Windows Firewall configuration has been altered by the users/customers themselves.

For HA (high-availability) instances, we do strongly recommend our users/customers to make sure their network firewall and Windows Firewall rules only allow connections to the DB server(s) from the machines running the SFTP front-end nodes. No other machine should be allowed to connect to your DB server(s).

This said, we want to reassure everyone – once again – that we are also actively working (with high priority) to add MongoDB authentication directly into our software.

Authenticating users against your own DataBase

Syncplify.me Server! version: 4.0.16+

Note: in order to use the code posted in this article you need to be running at least version 4.0.16 or greater of Syncplify.me Server!

As you all know, Syncplify.me Server! already supports its own internal users, as well as Windows and Active Directory users (and groups, depending on the license type). Yet, some of our customers need to implement totally custom authentication methods, often based on their own user databases.

In this article we will show one way to do so. This is clearly just meant to serve as an example, and real-life scenarios require some further customization to the DB and the script posted here. But it’s a fairly decent starting point.

So, the background scenario for this example is:

  • our users’ authentication data are stored in a Microsoft(R) Access database
  • in our DB, each user is associated to a “category” (in this case his/her department: sales, marketing, …)
  • for the sake of this example, all users’ passwords are set to “password” (without quotes)
  • the script is pretty sophisticated, because besides authenticating the user, it will load a user profile that belongs to the “category” of the user from the main Syncplify.me Server! user-base

So let’s start taking a look at our user database: Continue reading

RSA, DSA and ECDSA host keys

Syncplify.me Server! version: 4.0.0+

Our users are aware that old Syncplify.me Server! versions (from 1.0 to 3.x) used to support only a single host key, and it had to be an RSA key.

As of version 4.0, though, Syncplify.me Server! supports RSA, DSA, and ECDSA host keys, and it support multiple (unlimited) host keys per virtual server.

The addition of DSA keys was mostly driven by the fact that some of our customers possess legacy DSA host/server keys that they are required to use, in order for certain client applications to work properly. The addition of ECDSA host keys instead is a truly remarkable new feature, and to understand why just check out the comparison table here below: Continue reading

Authenticating users via PKI

We have already talked about the SSH Server Key, which is used to verify the server’s identity and to negotiate the security (hmac/encryption) parameters. In this article, instead, we want to explain how to use PKI to authenticate users in Syncplify.me Server!

First of all it is important to understand that – unlike the Server Key – these user-specific key pairs are not used for encryption, but only and exclusively to authenticate users, thus to verify their identity and decide whether to let them log into the server or not.

Authenticating users via PKI certainly grants a much higher degree of security that simply using a password, and is therefore a highly recommended authentication method. Continue reading

Syncplify.me Server!: more on Active Directory authentication

This article covers the interaction between the client and Syncplify.me Server! in case of Active Directory authentication, and explains how auth-data sent by the client is interpreted by the server.

For the sake of our example we have set up a Windows Server 2012 R2 virtual machine, and created the “syncplify.local” domain (totally made up, you can use your own domain name of course). We have then created an AD group called “SFTP Users” (again you can create your own groups) and a couple users: “testuser” and “groupuser”. The testuser profile is only member of the “Domain Users” group, while the groupuser profile is member of “Domain Users” as well as of “SFTP Users”.

Important: if you’re using Syncplify.me Server! v4.0 or greater, please make sure you also carefully read this article before you continue.

Then we have created the two virtual profiles in Syncplify.me Server! with the usernames exactly as you see them in the picture here below:

2012R2-AD-1

Continue reading