SFTP (part of the SSH protocol suite) enables secure file transfers in both the client and server modes. SSH supports “password” and “publickey” authentication methods. Security options control which authentication methods are allowed. Public keys can be imported through various PEM formats (such as OpenSSH) from other systems. The ClearPath MCP requires that public keys be stored in Security Center before the connection is attempted (other products may use a pop-up to ask if a public key is not in the trusted list). The SSH KeyScan functionality allows the security administrator to acquire the public key for the remote system and store it into Security Center’s trusted list for that IP address.
Each usercode can have multiple public keys associated with it. All public keys for the usercode are checked when the remote user attempts to connect to the MCP host. This is the equivalent to the use of /.ssh/authorized_keys file in Linux environments.
A compatibility matrix for SSH and SFTP can be found on the Unisys Product Support website.
The following algorithms are supported:
-
Key Exchange
-
DIFFIE-HELLMAN-GROUP1
-
DIFFIE-HELLMAN-GROUP14
-
DIFFIE-HELLMAN-GROUP14-SHA256
-
DIFFIE-HELLMAN-GROUP16-SHA512
-
ECDH-SHA2-NISTP384
-
-
Encryption
-
AES256-CBC
-
AES128-CBC
-
AES256-CTR
-
AES128-CTR
Note: There is a TCPIP option, AESCBC, to control usage of AES-CBC encryption. The option is on by default; you can turn it off to disable support for AES-CBC encryption. -
-
MAC
-
HMAC-SHA1
-
HMAC-SHA2-256
-
HMAC-SHA2-512
-
-
Host Key
-
SSH-RSA
-
RSA-SHA2-256
-
RSA-SHA2-512
-
-
User Authentication
-
Public Key
-
Password
-
For more information about system security options, see Controlling System Security. For more information about SFTP, see TCP/IP Distributed Systems Services Operations Guide.
