SSH and SFTP
With the Admin Security or JITC feature sets enabled, the Secure Shell (SSH) and related Secure Shell File Transfer (SFTP) protocols provide for the secure transfer of audit files and for the secure transfer of management traffic across the wancom0 interface.
SSH Operations
SSH Version 2.0, the only version supported on the OCSBC, is defined by a series of five RFCs.
- RFC 4250, The Secure Shell (SSH) Protocol Assigned Numbers
- RFC 4251, The Secure Shell (SSH) Protocol Architecture
- RFC 4252, The Secure Shell (SSH) Authentication Protocol
- RFC 4253, The Secure Shell (SSH) Transport Layer Protocol
- RFC 4254, The Secure Shell (SSH) Connection Protocol
RFCs 4252 and 4253 are most relevant to OCSBC operations.
The transport layer protocol (RFC 4253) provides algorithm negotiation and key exchange. The key exchange includes server authentication and results in a cryptographically secured connection that provides integrity, confidentiality and optional compression. Forward security is provided through a Diffie-Hellman key agreement. This key agreement results in a shared session key. The rest of the session is encrypted using a symmetric cipher, currently 128-bitAES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The client selects the encryption algorithm to use from those offered by the server. Additionally, session integrity is provided through a crypto-graphic message authentication code (hmac-md5, hmac-sha1, umac-64 or hmac-ripemd160).
The authentication protocol (RFC 4252) uses this secure connection provided and supported by the transport layer. It provides several mechanisms for user authentication. Two modes are supported by the OCSBC: traditional password authentication and public-key authentication.
Configuring SSH Properties
The single instance ssh-config configuration element specifies SSH re-keying thresholds.
Managing SSH Keys
Use the following procedure to import an SSH host key.
Importing a host key requires access to the SFTP server or servers which receive audit log transfers. Access is generally most easily accomplished with a terminal emulation program such as PuTTY, SecureCRT, or TeraTerm.
Importing SSH Keys
Use the following procedure to import an SSH public key.
Prior to using SSH-public-key-based authentication you must import a copy the public key of each user who will authenticate using this method. The public key identifies the user as a trusted entity when the Oracle SBC performs authentication.
During the SSH login, the user presents its public key to the SBC. Upon receiving the offered public key, the SBC validates it against the previously obtained trusted copy of the key to identify and authenticate the user.
Importing a public key requires access to the device on which the public key was generated, or on which it is currently stored with its associated private key. Access is generally attained with a terminal emulation program such as PuTTY, SecureCRT, or TeraTerm.
SFTP Operations
SFTP performs all operations over an encrypted SSH connection. It may also use many features of SSH, such as public key authentication and compression. SFTP connects and logs into the specified host, then enters an interactive command mode.
Once in interactive mode, SFTP understands a set of commands similar to those of FTP. Commands are case insensitive and pathnames may be enclosed in quotes if they contain spaces.
- bye—Quit SFTP.
- cd pathChange—Remote directory to path.
- lcd pathChange—Local directory to path.
- chgrp grp path—Change group of file path to group. group must be a numeric GID.
- chmod mode path—Change permissions of file path to mode.
- chown own path—Change owner of file path to own. own must be a numeric UID.
- dir (or ls)—List the files in the current directory.
- exit—Quit SFTP.
- get [flags] remote-path [local-path]—Retrieve the remote-path and store it on the local machine. If the local path name is not specified, it is given the same name it has on the remote machine. If the -P flag is specified, then the file's full permission and access time are copied too.
- help—Display help text.
- lcd—Change the directory on the local computer.
- lls—See a list of the files in the current directolls [ls-options [path]Display local directory listing of either path or current directory if path is not specified.
- lmkdir path—Create local directory specified by path.
- ln oldpath newpath—Create a symbolic link from oldpath to newpath.
- lpwd—Print local working directory.
- ls [path]—Display remote directory listing of either path or current directory if path is not specified.
- lumask umask—Set local umask to umask.
- mkdir path—Create remote directory specified by path.
- put [flags] local-path [local-path]—Upload local-path and store it on the remote machine. If the remote path name is not specified, it is given the same name it has on the local machine. If the -P flag is specified, then the file's full permission and access time are copied too.
- pwd—Display remote working directory.
- quit—Quit SFTP.
- rename oldpath newpath—Rename remote file from oldpath to newpath.
- rmdir path—Remove remote directory specified by path.
- rm path—Delete remote file specified by path.
- symlink oldpath newpath—Create a symbolic link from oldpath to newpath.
- ! command—Execute command in local shell.
- !—Escape to local shell.
- ?—Synonym for help.
Note:
Command availability is subject to Oracle authorization/privilege classes.Some SFTP commands are available to only certain users; some commands are available to no users.
RADIUS file access privileges are specified by the Acme-User-Privilege VSA, which can take the following values.
- sftpForAudit—allows audit log access
- sftpForAccounting—allows system logs to be accessed
- sftpForHDR—allows HDR (Historical Data Records) to be accessed
- sftpForAll—allows all logs to be accessed