Configuring the SSH Server

Edit online

You must configure an SSH server before you can use HSTS. To increase the security, configure transfer-server authorization to use a host-key fingerprint.

SSH configuration

Edit online

Configure SSH for use with HSTS.

The file that is used in the following steps is: 
/etc/ssh/sshd_config
  1. Open the SSH configuration file /etc/ssh/sshd_config.
  2. Disable SSH tunneling.
    Add the following lines to the end of the file (or modify them if they already exist):
    AllowTcpForwarding no

    Depending on your sshd_config file, you might have additional instances of AllowTCPForwarding that are set to the default Yes. Review your sshd_config file for other instances and disable if necessary.

  3. Update authentication methods. Disable agent forwarding, which is enabled by default.
    Add the following to your SSH configuration file: 
    AllowAgentForwarding no
  4. If SSH is not going to be used for other purposes on your system, consider restricting use to an explicit list of allowed HSTS users. By default all users are allowed to log in using the OpenSSH service.
    CAUTION:
    If you are on a Windows Domain, you must use the AllowUsers and AllowGroups configuration options to limit access to the server.
    Go to System Preferences > Sharing. Clear and select Remote Login from the left panel. Under Allow access for, select All users, or specify individual user accounts for the FASP connections.
    Enable the remote login
  5. For optimal security, configure SSH to use strong ciphers and Macs, such as the AES and HMAC SHA2 variants. Use the sshd_config directives Ciphers and MACs. Be sure to check which ciphers and MACs are supported by your version of OpenSSH.
    For example,
    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
  6. The SFTP subsystem is not used by HSTS. If you don't need the SFTP, you can disable it.
  7. Disable root login.
    CAUTION:
    This step disables root access. Before you do so, make sure that you have at least one user account with sudo privileges before continuing, otherwise you might not have access to administer your server.
    By default, OpenSSH allows root logins. However, disabling root access helps maintain a more secure server. Disable root access by changing the PermitRootLogin assignment to no. 
    PermitRootLogin no

    Administrators can use the su command when root privileges are necessary.

  8. Start the SSH server to apply new settings.
    Click Apple menu > System Preferences > Sharing. Clear and then reselect Remote Login from the left panel. In the Allow access for option, select All users, or specify individual user accounts for the FASP connections.

    Restarting your SSH server does not affect currently connected users.

  9. If you enabled logging, review your logs periodically for evidence of attacks.

Changing the TCP port number

Edit online

SSH servers listen for incoming connections on TCP Port 22 by default. As such, Port 22 is subject to numerous unauthorized login attempts by hackers who attempt to access unsecured servers. An effective deterrent is to close Port 22 and run the service on a seemingly random port in the range 1024 - 65535. To standardize the port for use in Aspera transfers, set the TCP port to 33001 and close TCP/22.

Prerequisites:

  • Before changing the default port for SSH connections, verify with your network administrators that TCP/33001 is open.
  • Before closing port TCP/22, notify the users of the change.

Notifying users - How to specify TCP/33001

Aspera recognizes that disabling the default SSH connection port (TCP/22) might affect your clients. When you change the port, ensure that you advise your users on how to configure the new port number, from the GUI (if available and used) and from the command line.

  • GUI: Click Connections and select the entry for the server whose ports you are changing. On the Connection tab, click Show Advanced Settings and in the SSH Port (TCP) field enter 33001.
    Client specifying your computer's SSH Port.
  • Command line: Clients running transfers from the command line can specify the port by using the ascp -P 33001 option.

Changing to TCP/33001

The following steps require root privileges.

  1. Open the SSH configuration file . /etc/services
  2. Add the TCP/33001 SSH port and close TCP/22.
    1. Locate the following line: 
      ssh   22/tcp      # SSH Remote Login Protocol
    2. Edit the line for the new TCP port: 
      ssh   33001/tcp      # SSH Remote Login Protocol
    3. Save and close the file.
    4. Restart the SSH service to activate your changes.
      Restarting your SSH server does not affect currently connected users.

    When this setting takes effect:

    • Aspera clients must set the transfer port to 33001 in the GUI, or from the command line use the ascp -P 33001 option.
    • Server administrators must use ssh -p 33001 to access the server through SSH.

Configuring transfer server authentication with a host-key fingerprint

Edit online

Configure the transfer-server authorization to use a host key fingerprint to prevent server impersonation and man-in-the-middle (MITM) attacks. Aspera clients can verify the server's authenticity before starting a transfer by comparing the trusted SSH host key fingerprint, which is obtained directly from the server admin or through an Aspera client web application, with the host key fingerprint that is returned when the connection is made.

  1. Open the SSH configuration file /etc/ssh/sshd_config and set the appropriate SSH key type.
    The HostKey directive can be set to specify various SSH key types. The type that you choose must conform to the requirements of the server's intended clients.
    If you are going to use the server with any of the following product releases, you must modify your configuration to use RSA encryption. If you do not, you can get an error for mismatched fingerprints, and your transfers fails:
    • IBM Aspera Connect
    • IBM Aspera Command Line Interface (ascli)
    • IBM Aspera Cargo
    HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
    If you are going to use your server with later versions of these clients, then use the following configuration: 
    #HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
  2. Restart the SSH server to apply new settings.
    Go to System Preferences > Sharing. Clear and select Remote Login from the left panel. Under Allow access for, select All users, or specify individual user accounts for the FASP connections.
  3. Restart the noded service to activate your changes.
    Run the following commands to reload asperanoded:
    $ sudo launchctl unload /Library/LaunchDaemons/com.aspera.asperanoded.plist
$ sudo launchctl load /Library/LaunchDaemons/com.aspera.asperanoded.plist

Configuring the SSH host-key

Edit online
  1. Set the host key fingerprint or path in the transfer server's aspera.conf file. If you set the host key path, the fingerprint is retrieved from the key file automatically rather than manually.

    Set the host key path

    1. To set the SSH host key path instead of the fingerprint, from which the fingerprint is automatically retrieved, run the following command: 
      # asconfigurator -x "set_server_data;ssh_host_key_path,ssh_key_filepath"

      This command creates a line similar to the following example of the <server> section of aspera.conf:

      <ssh_host_key_path>/etc/ssh/ssh_host_rsa_key.pub</ssh_host_key_path>

    Retrieve and set the host key fingerprint

    1. Retrieve the server's SHA-1 fingerprint. 
      # cat /etc/ssh/ssh_host_rsa_key.pub | awk '{print $2}' | base64 --decode | sha1sum | awk '{print $1}'
    2. Set the SSH host key fingerprint in aspera.conf. 
      # asconfigurator -x "set_server_data;ssh_host_key_fingerprint,fingerprint"
      This command creates a line similar to the following example of the <server> section of aspera.conf:
      <ssh_host_key_fingerprint>8e6371caacdfb9d7228680132a7cd72a685320a2</ssh_host_key_fingerprint>
  2. Restart the node service to activate your changes.
    Run the following commands to reload asperanoded:
    $ sudo launchctl unload /Library/LaunchDaemons/com.aspera.asperanoded.plist
$ sudo launchctl load /Library/LaunchDaemons/com.aspera.asperanoded.plist