SFTP Outgoing Ciphers and Advanced Properties

Advanced Properties are available for enabling or disabling the following SFTP properties. For the most part, the advanced property is used to turn OFF a specific cipher for outbound that is allowed for inbound; however, in some instances, due to the security risk involved, the advanced property must enable that algorithm, even if it is already enabled for inbound connections via the interface.

Outgoing Ciphers

Enabled by default:

  • aes256-gcm@openssh.com (can be disabled for client outbound via Advanced Property SFTP2_AES256_GCM_AT_OPENSSH_COM to false)

  • aes256-ctr (can be disabled for client outbound via Advanced Property SFTP2_AES256CTR to false)

  • aes256-cbc  (can be disabled for client outbound via Advanced Property SFTP2_AES256 to false)

  • rijndael-cbc@lysator.liu.se (can be disabled for client outbound via Advanced Property SFTP2_RIJNDAEL_CBC_AT_LYSATOR_LIU_SE to false)

  • aes192-ctr (can be disabled for client outbound via Advanced Property SFTP2_AES192CTR to false)

  • aes192-cbc (can be disabled for client outbound via Advanced Property SFTP2_AES192 to false)

  • aes128-gcm@openssh.com (can be disabled for client outbound via Advanced Property SFTP2_AES128_GCM_AT_OPENSSH_COM to false)

  • aes128-ctr (can be disabled for client outbound via Advanced Property SFTP2_AES128CTR to false)

  • aes128-cbc (can be disabled for client outbound via Advanced Property SFTP2_AES128 to false)

  • 3des-cbc (can be disabled for client outbound via Advanced Property SFTP2_TripleDES to false)

  • chacha20-poly1305@openssh.com (can be disabled for client outbound via Advanced Property SFTP2_CHACHA20_POLY1305_AT_OPENSSH_COM to false)

Disabled by default:

  • cast128-cbc  (can be enabled for client outbound via Advanced Property SFTP2_CAST128 to true)

  • blowfish-cbc (can be enabled for client outbound via Advanced Property SFTP2_Blowfish to true)

  • arcfour (can be enabled for client outbound via Advanced Property SFTP2_ARCFOUR to true)

Advanced Properties related to SFTP:

  • EnableXferLog - (enable transfer logs) Set to true to improve log performance

  • CloseFinishedItemLog - (enable removal of successful logs) Set to true to improve log performance

  • SFTP2_Log - Set to 1 to enable ClientFTP SFTP logging.

  • SFTP2_Log_Level - ClientFTP SFTP log level.

  • SFTP2_AuthByKey - Enable ClientFTP SFTP authentication by key.

  • SFTP2_AuthByPassword - Enable ClientFTP SFTP authentication by password.

  • SFTP2_UseCompression - Enable ClientFTP SFTP compression.

  • SFTP2PrivateKey - ClientFTP SFTP private key.

  • SFTP2PublicKey - ClientFTP SFTP public key.

  • SFTPDiscardClientTimestamp - Disregard client initiated SFTP SSH_FXP_FSETSTAT and SSH_FXP_SETSTAT command to change the date/timestamp of files.

  • SFTPEnableGroup1Kex - Enable or disable diffie-hellman-group1-sha1 KEX for SFTP

  • SFTPEnableGroupsExchangeKex - Enable or disable diffie-hellman-group-exchange-sha1 and diffie-hellman-group-exchange-sha256 KEXes for SFTP

  • SFTPOutQueueBytesLimit - Specifies (in bytes) upper limit of SFTP out queue. 0 - no limit

  • SFTP2_AES128 - Setting to 1 enables the AES128 cipher algorithm.

  • SFTP2_AES128CTR - Setting to 1 enables the AES128CTR cipher algorithm.

  • SFTP2_AES256 - Setting to 1 enables the AES256 cipher algorithm.

  • SFTP2_AES256CTR - Setting to 1 enables the AES256CTR cipher algorithm.

  • SFTP2_ARCFOUR - Setting to 1 enables the ARCFOUR cipher algorithm.

  • SFTP2_Blowfish - Setting to 1 enables the Blowfish cipher algorithm.

  • SFTP2_CAST128 - Setting to 1 enables the CAST128 cipher algorithm.  

  • SFTP2_MD5 - Setting to 1 enables the MD5 MAC algorithm.

  • SFTP2_MD5_96 - Setting to 1 enables the MD5_96 MAC algorithm.

  • SFTP2_SHA1 - Setting to 1 enables the SHA1 MAC algorithm.  

  • SFTP2_SHA1_96 - Setting to 1 enables the SHA1_96 MAC algorithm.

  • SFTP2_SHA2_256 - Setting to 1 enables the SHA2_256 MAC algorithm.

  • SFTP2_SHA2_512 - Setting to 1 enables the SHA2_512 MAC algorithm.

  • SFTP2_TripleDES - Setting to 1 enables the TripleDES cipher algorithm.

  • SFTP2_Twofish - Setting to 1 enables the Twofish cipher algorithm.  

  • SFTP2_TWOFISH128 - Setting to 1 enables the TWOFISH128 cipher algorithm.  

  • SFTP2_TWOFISH256 - Setting to 1 enables the TWOFISH256 cipher algorithm.  

  • SftpClientCiphers - Override client's enabled Ciphers and their order. Example: "SftpClientCiphers": "aes128-ctr,aes192-ctr,aes256-ctr" The combined values should be comma separated *without* any additional characters.  (If not set, then it uses default ordering which is same as server inbound order.)

    • For non-FIPS, SftpClientCiphers, you can combine values:

      •     aes256-gcm@openssh.com

      •     aes256-ctr

      •     aes256-cbc

      •     rijndael-cbc@lysator.liu.se

      •     twofish256-cbc

      •     twofish-cbc

      •     aes192-ctr

      •     aes192-cbc

      •     aes128-gcm@openssh.com

      •     aes128-ctr

      •     aes128-cbc

      •     twofish128-cbc

      •     3des-cbc

      •     chacha20-poly1305@openssh.com

      •     cast128-cbc

      •     blowfish-cbc

      •     arcfour

    • For FIPS, SftpClientCiphers AP you can combine values

      •     aes256-gcm@openssh.com

      •     aes256-ctr

      •     aes256-cbc

      •     rijndael-cbc@lysator.liu.se

      •     aes192-ctr

      •     aes192-cbc

      •     aes128-gcm@openssh.com

      •     aes128-ctr

      •     aes128-cbc

      •     3des-cbc

  • SftpClientKexAlgorithms - Override client's enabled KEXes and their order Example: "SftpClientKexAlgorithms" : "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256" The combined values should be comma separated *without* any additional characters. (If not set, then it uses default ordering which is same as server inbound order.)

    • For non-FIPS, SftpClientKexAlgorithms, you can combine values:

      •     ecdh-sha2-nistp521

      •     ecdh-sha2-nistp384

      •     ecdh-sha2-nistp256

      •     diffie-hellman-group18-sha512

      •     diffie-hellman-group16-sha512

      •     diffie-hellman-group14-sha256

      •     diffie-hellman-group-exchange-sha256

      •     diffie-hellman-group14-sha1

      •     curve25519-sha256

      •     curve25519-sha256@libssh.org

      •     sntrup4591761x25519-sha512@tinyssh.org

      •     diffie-hellman-group-exchange-sha1

      •     diffie-hellman-group1-sha1

    • For FIPS, SftpClientKexAlgorithms, it is possible to combine some of the values:

      •     ecdh-sha2-nistp521

      •     ecdh-sha2-nistp384

      •     ecdh-sha2-nistp256

      •     diffie-hellman-group18-sha512

      •     diffie-hellman-group16-sha512

      •     diffie-hellman-group14-sha256

      •     diffie-hellman-group-exchange-sha256

      •     diffie-hellman-group14-sha1

      •     diffie-hellman-group-exchange-sha1

  • SftpClientMACs string - Override client's enabled MACs and their order. Example: "SftpClientMACs": "hmac-sha2-256,hmac-sha2-512,hmac-sha1" The combined values should be comma separated *without* any additional characters. (If not set, then it uses default ordering which is same as server inbound order.)

    • For non-FIPS, SftpClientMACs, you can combine values:

      •     hmac-sha2-512-etm@openssh.com

      •     hmac-sha2-512

      •     hmac-sha2-256-etm@openssh.com

      •     hmac-sha2-256

      •     hmac-sha1-etm@openssh.com

      •     hmac-sha1

      •     umac-64-etm@openssh.com

      •     umac-64@openssh.com

      •     hmac-md5

      •     hmac-sha1-96

      •     hmac-md5-96

    • For FIPS, SftpClientMACs, you can combine values:  

      •     hmac-sha2-512-etm@openssh.com

      •     hmac-sha2-512

      •     hmac-sha2-256-etm@openssh.com

      •     hmac-sha2-256

      •     hmac-sha1-etm@openssh.com

      •     hmac-sha1

Related Topics