Installing and configuring the SSH Server

You must install and configure an SSH server before you can use HSTS. To increase the security, configure transfer-server authorization to use a host-key fingerprint.

Installing OpenSSH

For Windows™ systems, you must install OpenSSH.

About this task

CAUTION: Starting with release 4.2, an SSH server is not included with HSTS. If you are upgrading from a release before 4.2, you must install and configure an SSH server as described in the following steps.

Procedure

Download and install OpenSSH from Microsoft. Be sure that you select the correct version of OpenSSH for your Windows Server. Also, confirm that your version of Windows Server is supported by this release of HSTS.

SSH configuration

Configure SSH for use with HSTS.

About this task

The file that is used in the following steps is:

%PROGRAMDATA%\ssh\sshd_config

Procedure

Open the SSH configuration file %PROGRAMDATA%\ssh\sshd_config.
Disable SSH tunneling.
Add the following lines to the end of the file (or modify them if they already exist):
```
AllowTcpForwarding no  
```
Depending on your sshd_config file, you might have additional instances of AllowTCPForwarding that are set to the default Yes. Review your sshd_config file for other instances and disable if necessary.
Update authentication methods. Disable agent forwarding, which is enabled by default.
Add the following to your SSH configuration file:
```
AllowAgentForwarding no 
```
Adjust the MaxStartups limit for your expected connection load.

For example, consider changing MaxStartups from the default 10:30:100 to a higher value such as 1000. The default value of 10:30:100 means that if there are more than 10 unauthenticated connections, those additional connections are refused with a probability rate of 30% until the maximum number of concurrent unauthenticated connections of 100 is reached.
Update authentication methods
Public key authentication can prevent brute-force SSH attacks if all password-based authentication methods are disabled. For this reason, disable password authentication in your SSH configuration file and enable private and public key authentication.
```
PubkeyAuthentication yes
PasswordAuthentication no 
```
Note: If you choose to leave password authentication enabled, be sure to advise account creators to use strong passwords and set PermitEmptyPasswords to no.
```
PermitEmptyPasswords no
```
You must set the default shell to aspshell. From a PowerShell prompt run:
```
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Program Files\Aspera\Enterprise Server\bin\aspshell.exe" -PropertyType String -Force
```
Note: If you are using a token for authentication, you don't need to run the previous command.
If SSH is not going to be used for other purposes on your system, consider restricting use to an explicit list of allowed HSTS users. By default all users are allowed to log in using the OpenSSH service.

Attention: If you are on a Windows Domain, you must use the AllowUsers and AllowGroups configuration options to limit access to the server.
Use the AllowUsers directive in your SSH configuration file. For example,
```
AllowUsers xfer1 xfer2 xfer3 
```
If you want SSH logging, you must enable it.
Add the following assignment to your SSH configuration file:
```
SyslogFacility LOCAL0
```
This step allows OpenSSH to write log events to %PROGRAMDATA%\ssh\logs\sshd.log.
You can also set the words of logging with LogLevel, using syslog level conventions. For example,
```
LogLevel INFO
```
For optimal security, configure SSH to use strong ciphers and MACs, such as the AES and HMAC SHA2 variants. Use the sshd_config directives Ciphers and MACs. Be sure to check which ciphers and MACs are supported by your version of OpenSSH.
For example,
```
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
 
```
The SFTP subsystem is not used by HSTS. If you don't need the SFTP, you can disable it.
Configure the Windows SSH service.
The new service OpenSSH Server with the service name sshd is created as part of the installation. By default is set to manual operation. Change it to automatic so that it runs automatically after a system restart.
Start the SSH server to apply the new settings.
Go to Search from the taskbar and type Services. Locate the OpenSSH Service and click Restart.
Restarting your SSH server does not affect currently connected users.
If you enabled logging, review your logs periodically for evidence of attacks.

Changing the TCP port number

SSH servers listen for incoming connections on TCP Port 22 by default. As such, Port 22 is subject to numerous unauthorized login attempts by hackers who attempt to access unsecured servers. An effective deterrent is to close Port 22 and run the service on a seemingly random port in the range 1024 - 65535. To standardize the port for use in Aspera transfers, set the TCP port to 33001 and close TCP/22.

About this task

Prerequisites:

Before changing the default port for SSH connections, verify with your network administrators that TCP/33001 is open.
Before closing port TCP/22, notify the users of the change.

Notifying users - How to specify TCP/33001

Aspera recognizes that disabling the default SSH connection port (TCP/22) might affect your clients. When you change the port, ensure that you advise your users on how to configure the new port number, from the GUI (if available and used) and from the command line.

GUI: Click Connections and select the entry for the server whose ports you are changing. On the Connection tab, click Show Advanced Settings and in the SSH Port (TCP) field enter 33001.
Command line: Clients running transfers from the command line can specify the port by using the ascp -P 33001 option.

Changing to TCP/33001

The following steps require Administrator privileges.

Procedure

Open the SSH configuration file %PROGRAMDATA%\ssh\sshd_config.
Add the TCP/33001 SSH port and close TCP/22.
Comment out the line for Port 22 and add a line for Port 33001:
```
#Port 22 
Port 33001
```
When this setting takes effect:
- Aspera clients must set the transfer port to 33001 in the GUI, or from the command line use the ascp -P 33001 option.
- Server administrators must use ssh -p 33001 to access the server through SSH.

Configuring transfer server authentication with a host-key fingerprint

Configure the transfer-server authorization to use a host key fingerprint to prevent server impersonation and man-in-the-middle (MITM) attacks. Aspera clients can verify the server's authenticity before starting a transfer by comparing the trusted SSH host key fingerprint, which is obtained directly from the server admin or through an Aspera client web application, with the host key fingerprint that is returned when the connection is made.

Procedure

Open the SSH configuration file %PROGRAMDATA%\ssh\sshd_config and set the appropriate SSH key type.
The HostKey directive can be set to specify various SSH key types. The type that you choose must conform to the requirements of the server's intended clients.
If you are going to use the server with any of the following product releases, you must modify your configuration to use RSA encryption. If you do not, you can get an error for mismatched fingerprints, and your transfers fails:
- IBM® Aspera Connect
- IBM Aspera Command Line Interface (ascli)
- IBM Aspera Cargo
```
HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key
```
If you are going to use your server with later versions of these clients, then use the following configuration:
```
#HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key
HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key
```
Restart the SSH server to apply new settings.
Restart the noded service to activate your changes.

Go to Search from the taskbar and type Services, click IBM Aspera NodeD, and click Restart.

Configuring the SSH host-key

Procedure

Set the host key fingerprint or path in the transfer server's aspera.conf file. If you set the host key path, the fingerprint is retrieved from the key file automatically rather than manually.

Set the host key path
1. To set the SSH host key path instead of the fingerprint, from which the fingerprint is automatically retrieved, run the following command:
```
# asconfigurator -x "set_server_data;ssh_host_key_path,ssh_key_filepath"
```
  This command creates a line similar to the following example of the <server> section of aspera.conf:
```
<ssh_host_key_path>C:\ProgramData\ssh\ssh_host_rsa_key.pub</ssh_host_key_path>
```
Retrieve and set the host key fingerprint
1. Retrieve the server's SHA-1 fingerprint.
  On the server, run a local ascp transfer. The transfer doesn't need to complete successfully for the remote host-key fingerprint to appear in the log file.
```
> ascp source_file username@localhost:destination
```
  Open C:\Program Files\Aspera\Enterprise Server\var\log\aspera-scp-transfer.log. Search for "remote host-key fingerprint". The SHA-1 fingerprint appears similar to the following, where 8e6371caacdfb9d7228680132a7cd72a685320a2 is the fingerprint:
```
2022-09-21 08:36:25.378 [1788-000012e4] LOG [asssh] remote host-key fingerprint 8e6371caacdfb9d7228680132a7cd72a685320a2
```
2. Set the SSH host key fingerprint in aspera.conf.
```
# asconfigurator -x "set_server_data;ssh_host_key_fingerprint,fingerprint"
```
  This command creates a line similar to the following example of the <server> section of aspera.conf:
```
<ssh_host_key_fingerprint>8e6371caacdfb9d7228680132a7cd72a685320a2</ssh_host_key_fingerprint>
```
Restart the node service to activate your changes.

Go to Search from the taskbar and type Services, click IBM Aspera NodeD, and click Restart.