More .NET libraries
-
Rebex FTP
.NET FTP client
-
Rebex SSH Shell
.NET SSH Shell
-
Rebex Total Pack
All Rebex .NET libraries together
Back to feature list...
Security
On this page:
Server verification
Once connected to an SFTP server (and before authenticating), you should make sure you are indeed connected to the server you intended to connect to. Otherwise, you risk revealing sensitive data (such as your password) to a third-party.
This is done by checking the server's public key and its signature. The signature is validated by Rebex SFTP automatically, but it's up to you to check the server's public key (or fingerprint).
In an ideal world, you should only connect to servers whose public keys (or fingerprints) you already have received securely. However, most real-world applications simply display the public key to the user when connecting for the first time, and make sure the key has not changed on subsequent connections. This has proved to be a decent compromise between security and usability.
Verifying server fingerprint
A fingerprint (hash value) of the server key used to secure the current connection is available in the Fingerprint
property.
To verify it, simply compare the value with the one you've obtained from the server's administrator:
// a fingerprint obtained from your server's administrator
string fingerprint = "CseaeivppaMNLqMa+8ww+GzBQCltaCD7zugZyLQ+u7U";
// connect to an SFTP server
sftp.Connect(hostname);
// verify the server fingerprint
if (sftp.Fingerprint != fingerprint)
throw new Exception("Invalid server key fingerprint.");
' a fingerprint obtained from your server's administrator
Dim fingerprint = "CseaeivppaMNLqMa+8ww+GzBQCltaCD7zugZyLQ+u7U"
' connect to an SFTP server
sftp.Connect(hostname)
' verify the server fingerprint
If sftp.Fingerprint <> fingerprint Then
Throw New Exception("Invalid server key fingerprint.")
End If
Please note that Sftp.Fingerprint
property provides an SHA-256 hash of the server's public key. To get SHA-1 or SHA-2 fingerprints,
use Sftp.Session.Fingerprint.ToString(SignatureHashAlgorithm)
method instead.
Verifying server key
Instead of verifying a fingerprint of server's public key, it's possible to verify the public key itself.
It's available in Sftp.ServerKey
property. Use GetPublicKey()
to get the key as a byte array,
or save it for further use using GetPublicKey
method.
// get the server key
var key = sftp.ServerKey;
// save it to a file
key.SavePublicKey(@"C:\MyData\my_key.pub");
' get the server key
Dim key = sftp.ServerKey
' save it to a file
key.SavePublicKey("C:\MyData\my_key.pub")
Server key verification event
Alternatively, you can check the server key or its fingerprint in a FingerprintCheck
event handler
which is raised by the Connect
method. To accept a key, set event argument's Accept
property to true
.
// handler for the FingerprintCheck event
void client_FingerprintCheck(object sender, SshFingerprintEventArgs e)
{
// a fingerprint obtained from your server's provider
string fingerprint = "CseaeivppaMNLqMa+8ww+GzBQCltaCD7zugZyLQ+u7U";
// verify the server fingerprint
if (e.Fingerprint.ToString() == fingerprint)
e.Accept = true;
}
' handler for the FingerprintCheck event
Sub client_FingerprintCheck(ByVal sender As Object, ByVal e As SshFingerprintEventArgs)
' a fingerprint obtained from your server's provider
Dim fingerprint = "CseaeivppaMNLqMa+8ww+GzBQCltaCD7zugZyLQ+u7U"
' verify the server fingerprint
If e.Fingerprint.ToString() = fingerprint Then
e.Accept = True
End If
End Sub
Registering the event handler:
// register an event handler
sftp.FingerprintCheck += client_FingerprintCheck;
// connect to an SFTP server (raises FingerprintCheck event)
sftp.Connect(hostname);
// ... this line is reached only if the fingerprint was accepted
// (otherwise the Connect method throws an SftpException)
' register an event handler
AddHandler sftp.FingerprintCheck, AddressOf client_FingerprintCheck
' connect to an SFTP server (raises FingerprintCheck event)
sftp.Connect(hostname)
' ... this line is reached only if the fingerprint was accepted
' (otherwise the Connect method throws an SftpException)
The FingerprintCheck
event is raised during a key re-exchange process as well.
Security settings and algorithms
Rebex SFTP's underlying SSH core supports a number of security algorithms:
- Authentication Methods (Password, Public key, Keyboard-interactive, GSSAPI).
- Encryption Algorithms (AES, ChaCha20/Poly1305, Triple DES, Twofish, Blowfish, RC4).
- Encryption Modes (CBC, CTR, AEAD).
- Host Key Algorithms (RSA, DSS, ECDSA with NIST P-256/384/521*, EdDSA with ED25519**).
- Key Exchange Algorithms (Diffie-Hellman - Oakley groups, group exchange with SHA-1 or SHA-256; Elliptic Curve Diffie-Hellman - over NIST P-256*, P-384*, P-521* or Curve25519** curves).
- MAC Algorithms (SHA-2, SHA-1, MD5).
* Available on Windows (on Windows Vista and higher). External plugins are needed for other platforms.
** Plugin required on all platforms.
To explicitly enable or disable any of these algorithms, use Sftp.Settings.SshParameters
object:
// get SSH parameters object
SshParameters par = sftp.Settings.SshParameters;
// allow both DSS and RSA
par.HostKeyAlgorithms = SshHostKeyAlgorithm.DSS |
SshHostKeyAlgorithm.RSA;
// when the server supports both, prefer RSA
par.PreferredHostKeyAlgorithm = SshHostKeyAlgorithm.RSA;
// only allow AES and Twofish
par.EncryptionAlgorithms = SshEncryptionAlgorithm.AES |
SshEncryptionAlgorithm.Twofish;
// connect using the SSH parameters
sftp.Connect(hostname, Sftp.DefaultPort);
' use SSH parameters object
With sftp.Settings.SshParameters
' allow both DSS and RSA
.HostKeyAlgorithms = SshHostKeyAlgorithm.DSS Or
SshHostKeyAlgorithm.RSA
' when the server supports both, prefer RSA
.PreferredHostKeyAlgorithm = SshHostKeyAlgorithm.RSA
' only allow AES and Twofish
.EncryptionAlgorithms = SshEncryptionAlgorithm.AES Or
SshEncryptionAlgorithm.Twofish
End With
' connect using the SSH parameters
sftp.Connect(hostname, sftp.DefaultPort)
Back to feature list...