Introduction

Welcome to /n software SFTP Server, an easy-to-use, reliable file transfer solution featuring the SSH File Transfer Protocol. SFTP Server enables authorized users to establish a secure connection and open, read, or write files on demand.

The server is designed to be simple to configure while providing high throughput and robust security, with support for all modern algorithms such as AES (CTR, CBC, and GCM), 3DES, Blowfish, SHA-256, ECDH, and more. The novel SFTP Server is built on the rock-solid core of IPWorks SSH, and features a simple interface that can be set up in minutes.

Features

  • Support for Public Key, Password, and GSSAPI Authentication (NTLM) for secure connections.
  • Run as a Windows Service or as a standalone user application.
  • Session management for viewing and disconnecting clients.
  • Strong AES encryption, message integrity checking, secure secret key exchange.
  • User-specific root directories via the '$user' reserved value.
  • Unlimited concurrent remote connections (dependent on licensing).

Additional Information

You will always find the latest information about SFTP Server at our web site: www.nsoftware.com. We offer free, fully-functional 30-day trials for all of our products, and our technical support staff are happy to answer any questions you may have during your evaluation.

Please direct all technical questions to support@nsoftware.com. To help support technicians assist you as quickly as possible, please provide an detailed and accurate description of your problem, the results you expected, and the results that you received while using our product. For questions about licensing and pricing, and all other general inquiries, please contact sales@nsoftware.com.

Thank You!

Thank you for choosing SFTP Server. We realize that you have a choice among tools, and that by choosing us you are counting on us to be a key component in your business. We work around the clock to provide you with ongoing enhancements, support, and innovative products; and we will always do our best to exceed your expectations!

Running SFTP Server

Getting Started

SFTP Server can be started directly from the application's main window, via command line, or configured to run as a Windows service. Use the Start, Restart and Stop buttons in the toolbar manage the status of the listener from the main window.

End-users and clients can access SFTP Server if they are added to the users list and are enabled in the Users tab. Once the desired options and users have been configured, press the Save Changes button in the toolbar to save the changes.

Starting as a Windows Service

The application may also be configured to run as a Windows service. To enable running as a Windows service navigate to the Service tab and check the Run as a Windows Service checkbox. Click Save Changes to save the changes.

After Save Changes is pressed, no user interaction is required to start the application. The Windows service will be configured with a startup type of automatic. The user interface does not need to remain open when running as a Windows service.

Command Line Parameters

The Windows Service may be started and stopped from the command line by specifying the "servicestart" and "servicestop" command line parameters. For instance:

  • To start the service: SFTPServer.exe /servicestart
  • To stop the service: SFTPServer.exe /servicestop

When not running as a Windows Service the "start", "stop", "restart", and "exit" command line parameters may be used.

  • To start SFTP Server: SFTPServer.exe /start
  • To stop SFTP Server: SFTPServer.exe /stop
  • To restart SFTP Server: SFTPServer.exe /restart
  • To close SFTP Server: SFTPServer.exe /exit

Additional command line parameters:

  • To retrieve the maximum number of connections: SFTPServer.exe /GetMaxConnections

Security

General Security Notes

SFTP Server allows a high degree of flexibility and control over the enabled key exchange, encryption, and MAC algorithms though Registry Keys. SFTP Server does not store passwords for virtual users in plaintext. All passwords are encrypted by DPAPI and stored in the regsitry.

Available Authentication Modes

The enabled authentication options for a user control the different ways the server will be able to authorize that user. SFTP Server supports the following authentication mechanisms: Username/Password, Public Key Authentication, Multi-factor Authentication, and GSSAPI Authentication (NTLM/Kerberos).

Password Authentication

Clients connecting to the server need to provide a username and password combination. The credentials are then verified according to the type of user.

If the client is connecting with a username of a local Windows account, the server will verify the credentials using Windows Authentication mechanisms to make sure they match a valid local account on the server or on a domain trusted by it. In addition, the server will verify the user is a member of an enabled group in the Users List before allowing access.

If the client is connecting with a username of a virtual user, the server will decrypt the user's password in the registry and compare the provided password against it.

Public Key Authentication

If Public Key Authentication is enabled, connections to the server can also authenticate using the standard public key authentication mechanism supported by the SSH protocol instead of presenting a password. Possession of a private key serves as authentication.

Multi-factor Authentication

If Multi-factor authentication is enabled, connections to the server must authenticate by using a multi-method authentication sequence combining Password authentication and Public Key authentication.

The server will return partial success if the authentication request was successful and will only authorize a user after both stages of authentication are completed successfully.

GSSAPI Authentication (NTLM/Kerberos)

NTLM or Kerberos authentication can be enabled through the server user interface by enabling GSSAPI Authentication.

Note: When using Kerberos as an authentication mechanism, it is recommended that SFTP Server be run as a service. When not running as a service and instead running under a user account, the default SPN (Service Principal Name) format of host/machine@domain used may result in errors.

In that case, a new SPN should be registered (for instance ssh/machine) with the domain controller, and the KerberosSPN registry setting for SFTP Server must be set. Additionally any connecting SFTP client will need to be configured to use the newly defined SPN.

Automatic Blocking

If a client fails authentication a specified number of times, the server will automatically block that client for a period of time beofore allowing them to attempt to connect again.

Server Configuration

The tabs in the SFTP Server UI allow basic configuration of the server.

Please be aware that configuration changes will not take effect until the Save Changes button is clicked in the SFTP Server toolbar, which will save the settings to the Windows registry.

Service

The Service tab controls whether or not the server is run as a Windows service and also provides status output. Below are the available options for this tab:

  • Run as a Windows Service: If checked, the server will run as a Windows Service.
  • Status: This will show information about connecting clients. To configure the verbosity of the logs set the Log Mode on the Other tab.

Sessions

The Sessions tab provides a way to manage current connections. Session management allows viewing of connected users and the ability to disconnect them if needed. Check the box Enable Session Management to get started.

The Sessions tab also contains a list of currently connected clients. This list consists of the connected client's IP Address, logged in Username, and the amount of time they have been connected. Select a user from the list and click Disconnect to remove the session.

Admin Service Notes

When running the server as a Windows service and session management is enabled, a special SSH administration service is hosted on port 8122 (default). This is exposed as a way for the user application (UI running in the system tray) to communicate with the SSH process accepting connections. The use of this service is transparent to you as the user. You do not need to take any special steps to use this, it is handled by the application.

Server Settings

The Server Settings tab provides general SFTP server settings, as well as a way to select and generate the server certificate.

Here an X.509 certificate can be selected to provide the identity of the server and support SSH connections. Certificates stored in the Windows User/Machine certificate stores as well as certificates stored in .PFX, .PEM, or .PPK files can be used.

By default a test certificate is already configured. Before moving to production it is strongly recommended that the default test certificate is changed.

Authentication

All authentication options are controlled in the Userstab. This tab manages the users and groups which can authenticate to the server. SFTP Server allows two types of users to authenticate:

  • Virtual Users: A user defined in the application.
  • Windows Users: All members of a specified security group on the local machine or domain.

The Users List contains the users and groups the server knows about. The authorization status and authentication options for the users and groups can be managed using the buttons on the right panel.

New users and groups can be added from this page by clicking the New User... or New Group... buttons.

To prevent a user or group from authenticating, select the entry in the users list and click the Disable button or right-click the entry in the users list and click Disable in the context menu.

Virtual Users

Double click an entry on the users list or select an entry and click Edit... to bring up the Edit page with corresponding authentication options.

Supported Authentication Methods

  • Password
  • Public Key
  • Allow Any (Password or Public Key)
  • Multi-factor (Password + Public Key)
  • Windows

Below are the available options for this page:

  • User: Contains the user name for the client.
  • Display Name: Contains the name shown on the Users tab.
  • Access: Controls the limitations on the user capabilities, such as viewing only.
  • Password: Contains the password used to authorize the user when connecting via password authentication. If left empty, Password authentication will be disabled for the user.
  • Public Key: Contains a list of authorized public keys for this user. During public key authentication, the server will validate the signature presented by the client against the keys stored in this field. If left empty, Public Key authentication will be disabled for the user.

    The keys should be in SSH public key format according to RFC 4253. For example:

    ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822

Windows Users

Double click an entry on the users list or select an entry and click Edit... to bring up the Edit page with corresponding authentication options.

Below are the available options for this page:

  • Security Group: This is the name of a Windows group used for authorizing access to the server. Only users who are members of this group will be allowed access. This can be a group in the local machine or a group on the domain.
  • Enable Password Authentication: This specifies whether or not Password authentication is allowed. This is enabled by default.

    Note that when using Password Authentication, the recommended format for user authentication is "DOMAIN\Username".

  • Enable GSSAPI Authentication: This allows GSSAPI authentication for connecting clients. This is enabled by default in licensed versions.
    • Supported Mechanisms: Specifies the authentication mechanism used. Possible values are All, Kerberos, NTLM. The default value is NTLM.
    Note that when using Kerberos as an authentication mechanism, it is recommended that SFTP Server be run as a service. When not running as a service and instead running under a user account, the default SPN (Service Principal Name) format of host/machine@domain used may result in errors. In that case, a new SPN should be registered (for instance ssh/machine) with the domain controller, and the KerberosSPN registry setting for SFTP Server must be set. Additionally any connecting SSH client will need to be configured to use the newly defined SPN.
  • Windows Store Based Public Key Authentication: Controls whether Windows-based public key authentication is turned on. When selected, the server will look into the specified certificate store for a certificate with a public key matching the private key presented by the client connection. If one is found, the connection will be allowed; otherwise it will be denied.

    • Store Type: Tells the server to look for client certificates in the Machine or User stores.
    • Store Name: Tells the server to look for client certificates under the selected store.

    Note: The server has no way to match the public keys stored in the certificate store with actual Windows local/domain users. Make sure that the selected certificate store does not contain certificates for people that should not be allowed access to the server.

Other

Other

  • Write Log to a File: If checked, the server will write all trace information to the file specified in the File box.
  • Log Mode: Specifies how much information to log to the status window about the server execution.
  • Rotate Log File Every X Days: If enabled, the log file will be rotated after the specified number of days. When a log is rotated the old log will be renamed to the format "logname-yyyy-MM-dd".
  • Delete Log Files Older Than X Days: If enabled, log files older than the specified number of days will be deleted. This is only applicable to log files archived when "Rotate log file every X days" is enabled.
  • Use IPV6: Controls whether IPv4 or IPv6 is used when listening. Connecting clients will need to connect using the appropriate IP version.
  • Wire Encoding: Controls the encoding used by the server on the wire for text sent and received by the server. By default, the server will use ISO-8859-1 (Latin-1) encoding.

Encryption

Encryption Settings

The Encryption tab provides an optional way to encrypt files at rest. When the Enable Encryption at Rest checkbox is checked, the files on the server will remain encrypted on disk and will be transparently encrypted and decrypted as necessary. Users who authenticate to SFTP Server and download a file will obtain decrypted data but all file data will remain encrypted on the server.

Enabling Encryption

To enable encryption at rest, specify and confirm the encryption password. The password itself is encrypted by the system and saved in the registry (see Registry Keys for details).

The first time encryption is enabled and Save Changes is pressed, all files present in the server root directory, a user-specific root directory, or a sub-directory therein will be encrypted. Depending on the number and size of files this may take some time.

After the initial encryption completes, it is expected that files will only be added to the server's filesystem using the SFTP protocol. Plain files created directly on disk alongside encrypted files will not automatically be encrypted and will not be available to users.

Changing The Password

To change the password, visit the Encryption tab and use the Change ... button to change the password. When Save Changes is pressed, the operation will begin. This operation is faster than encrypting or decrypting files, but still may take some time depending on the number of files present.

Disabling Encryption

To disable encryption at rest, uncheck the Enable Encryption At Rest checkbox on the Encryption tab. When Save Changes is pressed the encrypted files will be decrypted. Depending on the number and size of files this may take some time.

Encryption Format Notes

Files are encrypted using standard disk encryption techniques leveraging the XTS-AES 256-bit block cipher algorithm. The encrypted files on disk will have an .aesd file extension. This file format is the same format as used by AES Drive. Please see The AES Drive documentation for details.

Registry Keys

Configuration options for SFTP Server are stored in the Windows registry in HKEY_LOCAL_MACHINE\SOFTWARE\nsoftware\SFTPServer\22. This registry key holds settings that are available for SFTP Server globally. Additional registry keys are available to store authorized keys or user-specific configuration.

The tree structure of these registry keys is described below:

The following values can be configured within the root HKEY_LOCAL_MACHINE\SOFTWARE\nsoftware\SFTPServer\22 registry key:

NameTypeDescription
AdminServiceEnabledDWORDWhether the administrative service for management is enabled. The default value is 0 (false).
AdminServicePortDWORDPort to be used for administrative service connection. The default value is 8122.
AdminServiceUserStringUsername for administrative service connection. The default value is randomly generated during setup.
AdminServicePasswordStringPassword for administrative service connection. The default value is randomly generated during setup.
AllowedClientsStringThis setting defines a comma-separated list of host names or IPv4 addresses that may access the server. When a client connects, the client's address is checked against the list defined here. If there is no match, the client will be disconnected.

The wildcard character "*" is supported. The default value is "*" and all connections are accepted.
AuthMaxAttemptsDWORDSpecifies the maximum number of authentication retries per connection allowed from a client with invalid login credentials. By default, this value is set to 3.
AutoBlockDurationDWORDSpecifies how long a client is blocked for once they have reached the AutoBlockMaxAuthAttempts. The default value is 300 seconds.
AutoBlockMaxAuthAttemptsDWORDSpecifies the maximum number of connection retries allowed from a client with invalid login credentials. Once this number is reached, the client's IP address is added to a list of blocked clients for a specified duration. If this value is set, AutoBlockDuration must be set to a value greater than zero. The default value is 3.
BlockedClientsStringDefines a list of clients that are not allowed to connect. This is a comma-separated list of IP addresses that will not be allowed to connect. Note that this list will not survive a server restart.
DataEncryptionPasswordStringThe DPAPI encrypted data encryption password (base64 encoded).
DataEncryptionSaltStringThe hex encoded 16 byte data encryption salt. This value is created automatically and should not be modified.
DeleteLogDaysDWORDThe number of days after which old log files will be deleted. This is only applicable when RotateLogDays is set to a positive value.
EnableCompressionDWORDCan be used to enable use of the zlib compression algorithm on SSH connections.

  • 0 - Off: No compression will be used (Default).
  • 1 - On: Zlib compression will be enabled, if requested by the SSH client.

EnableSessionManagementDWORDCan be used to enable sessions management.

  • 0 - Off
  • 1 - On (default)

FirewallTypeDWORDThe type of firewall for the SSH Tunnel to connect through. Applicable values include the following:

  • 0 - No firewall (default setting)
  • 1 - Connect through a tunneling proxy.
  • 2 - Connect through a SOCKS4 proxy.
  • 3 - Connect through a SOCKS5 proxy.

FirewallHostStringThe name of IP address of the firewall that the SSH Tunnel will connect through.
FirewallPortDWORDThe TCP port for the FirewallHost.
FirewallUserStringA user name if authentication is to be used when connecting through a firewall.
FirewallPasswordStringPassword to be used if authentication is to be used when connecting through a firewall.
IdleSessionTimeoutDWORDThe number of minutes after which an idle connection should be terminated. By default, idle sessions will be disconnected after 20 minutes.
InBufferSizeDWORDThe size in bytes of the incoming queue of the socket. This is the size of an internal queue in the TCP/IP stack. You can increase or decrease its size depending on the amount of data that you will be receiving. Increasing the value of the InBufferSize setting can provide significant improvements in performance in some cases. The default size is 0x10000 (65536).

Some TCP/IP implementations do not support variable buffer sizes. If that is the case, the InBufferSize reverts to its defined size. The same happens if you attempt to make it too large or too small.

InBufferSize is shared among incoming connections. When this value is set, the corresponding value is set for incoming connections as they are accepted. Existing connections are not modified.

KerberosSPNStringThe Service Principal Name for the Kerberos Domain Controller. If the Service Principal Name cannot be automatically determined, it should be set here. This will usually be in the form "host/fqdn.of.sshhost[@REALM]" where REALM is the fully qualified (DNS) name of the Kerberos realm (or Windows Active Directory domain name).
LocalHostStringThe local IP address of the interface to which the server will bind. By default the server will listen on the default interface for the system.
LogSSHPacketsDWORDSpecifies whether or not raw SSH packets are included in the log.

  • 0 - Off (default)
  • 1 - On

LogToFileStringThe full path to the log file.
MatchSSHPublicKeyToUsernameDWORDWindows users only. Controls whether public keys in the file specified by SSHPublicKeyFileName setting are tied to a specific user name. Possible values are:

  • 0 - Off: Public keys are not tied to a specific username (Default).
  • 1 - On: Public keys are tied to a specific username.

This setting can be used to validate that the correct public key was used to grant access to a particular user. If this setting is enabled the server will check the comment of the public key to verify it matches the username provided during authentication. This check is not case sensitive.

To specify a username to be associated with a specific key, include the username in place of the comments in the public key. For instance:

Unmodified public key: ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822

Public key modified to be associated with a specific username: ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= DOMAIN\Username

MaxConnectionsDWORDSpecifies the maximum number of connections that are allowed. By default the number of allowed connections is determined by the license that is installed. This setting may be specified to further restrict the number of connections. The server will restrict the number of connections to whichever is the lesser value between this setting and the number of allowed connections for the license.
MaxNumRowsInLogDWORDControls how many lines will be shown in the Status window in the Service tab of the SFTP Server User Interface. If this value is exceeded, the oldest lines will be removed as new lines are added. The default value is 1000.
OutBufferSizeDWORDThe size in bytes of the outgoing queue of the socket. This is the size of an internal queue in the TCP/IP stack. You can increase or decrease its size depending on the amount of data that you will be sending. Increasing the value of the OutBufferSize setting can provide significant improvements in performance in some cases. The default size is 0x10000 (65536).

Some TCP/IP implementations do not support variable buffer sizes. If that is the case, the OutBufferSize reverts to its defined size. The same happens if you attempt to make it too large or too small.

OutBufferSize is shared among incoming connections. When this value is set, the corresponding value is set for incoming connections as they are accepted. Existing connections are not modified.

PreserveFileTimeDWORDDetermines if filetime preservation is supported. If a client requests filetime preservation (typically by setting a "-p" parameter) this setting controls whether or not it is respected.

  • 0 - Off: Filetime preservation options are ignored.
  • 1 - On: Filetime preservation is supported (Default).

PromptForRegPermissionsDWORDWhen the server is running under an account that does not have write permissions to the registry location where these settings are stored the user will be prompted to change the permissions. If this value is set to 0 the user will not be prompted again. Possible values are:

  • 0 - Off: The user will not be prompted to modify registry permissions.
  • 1 - On: The user is prompted to modify registry permissions when needed (Default).

PSTraceLevelDWORDControls the trace level of the logging from the application. Possible values are:

  • 0 - Off: Nothing is logged.
  • 1 - Error: Only errors are logged.
  • 2 - Warning: Errors and warnings are logged.
  • 3 - Info: Errors, warnings and informational messages are logged (default value).
  • 4 - Verbose: All messages, including those useful for debugging and troubleshooting are logged.

RotateLogDaysDWORDThe number of days after which the log file will be rotated. Old log files will be renamed to the format "logname-yyyy-MM-dd". When set to a positive value DeleteLogDays is applicable.
RunAsAServiceDWORDIndicates if the server needs to be executed as a windows service (1) or in-process inside the SFTP User Interface (0).
SFTPHomeDirMapStringWindows users only. A map defining user-specific SFTP home directories. This setting allows for a user to be assigned a specific default directory. The value should be a semicolon-separated list of username and home directory pairs in the format: DOMAIN\user1=C:\user1;DOMAIN\user2=C:\user2 The user value must include the domain or machine name as appropriate (DOMAIN\user1 or MACHINE\user1). If the directory specified does not exist the user will be placed into the default SFTPRootDir.

Note: If mappings are present in this setting and a user without a mapping tries to authenticate to the server, access will be denied.

SFTPRootDirStringThe absolute path of the root directory for SFTP users. By default the "windir" environment variable will be used to determine the root directory (typically "C:\").

The special value "$user" may be included in the path which will be resolved to the username of the authenticated user (without Domain or Machine information). When "$user" is included in the path if the directory does not exist it will be automatically created.

ShowHiddenFilesDWORDWhether hidden files and folders are displayed during directory listings. The default is false.
SSHCertSubjectStringSubject of the SSH certificate used by the server. Example: "CN=NEWTON".
SSHStoreTypeDWORDIndicates where to find the SSH certificate. Can be one of the following values:

  • 0 - User store
  • 1 - Machine Store
  • 2 - PFX File
  • 4 - PEM File

SSHStoreStringIf SSHStoreType is either 0 or 1, the SSHStore value defines the specific store where the certificate can be found. Possible values include: My, Root, Trust, CA, TrustedPublisher, Disallowed, AuthRoot, TrustedPeople.
SSHStorePasswordStringThe password for the specified certificate store.
SSHEncryptionAlgorithmsStringSpecifies a name-list of the allowed SSH encryption algorithms. This list should be ordered based on preference and comma-delimited, with the first algorithm in the list being the most preferred. To disable an encryption algorithm, remove it from this list. Note: The algorithm which is actually selected during key exchange is the first algorithm to appear in the client's list that the server supports.

Valid values are:
aes256-ctr256-bit AES encryption in CTR mode
aes256-cbc256-bit AES encryption in CBC mode
aes192-ctr192-bit AES encryption in CTR mode
aes192-cbc192-bit AES encryption in CBC mode
aes128-ctr128-bit AES encryption in CTR mode
aes128-cbc128-bit AES encryption in CBC mode
3des-ctr192-bit (3-key) triple DES encryption in CTR mode
3des-cbc192-bit (3-key) triple DES encryption in CBC mode
cast128-cbcCAST-128 encryption
blowfish-cbcBlowfish encryption
arcfourARC4 encryption
arcfour128128-bit ARC4 encryption
arcfour256256-bit ARC4 encryption
aes256-gcm@openssh.com256-bit AES encryption in GCM mode.
aes128-gcm@openssh.com128-bit AES encryption in GCM mode.
chacha20-poly1305@openssh.comChaCha20 with Poly1305-AES encryption.
The default is:

aes256-ctr, aes192-ctr, aes128-ctr, 3des-ctr, arcfour256, arcfour128, arcfour, aes256-gcm@openssh.com, aes128-gcm@openssh.com, chacha20-poly1305@openssh.com
SSHKeyExchangeAlgorithmsStringSpecifies the Key Exchange algorithms presented during the SSH handshake. Algorithms not on this list will be disabled on the server. The list should be ordered based on preference and comma-delimited, with the first algorithm in the list being the most preferred.

Valid values are:

  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
  • diffie-hellman-group14-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group-exchange-sha1
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g==
  • gss-group16-sha512-toWM5Slw5Ew8Mqkay+al2g==
  • gss-nistp256-sha256-toWM5Slw5Ew8Mqkay+al2g==
  • gss-curve25519-sha256-toWM5Slw5Ew8Mqkay+al2g==
  • gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==
  • gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==
The default is:

curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
SSHKeyRenegotiationThresholdDWORDThis property allows the threshold to be specified, in the number of bytes, for the SSH Key Renegotiation. The default value for this property is set to 1 GB (1073741824).

For example, to set the threshold to 500mb use the value 524288000.

SSHMacAlgorithmsStringSpecifies the SSH MAC algorithms presented during the SSH handshake. Algorithms not on this list will be disabled on the server. The list should be ordered based on preference and comma-delimited, with the first algorithm in the list being the most preferred.

Valid values are:

  • hmac-sha1
  • hmac-md5
  • hmac-sha1-96
  • hmac-md5-96
  • hmac-sha2-256
  • hmac-sha2-256-96
  • hmac-sha2-512
  • hmac-sha2-512-96
  • hmac-ripemd160
  • hmac-ripemd160-96
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha2-512-etm@openssh.com
  • umac-64@openssh.com
  • umac-64-etm@openssh.com
  • umac-128@openssh.com
  • umac-128-etm@openssh.com
The default is:

hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-ripemd160,hmac-sha1-96,hmac-md5-96,hmac-sha2-256-96,hmac-sha2-512-96,hmac-ripemd160-96,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
SSHPortDWORDThe TCP port the server will listen in for connections.
SSHPublicKeyEnabledDWORDWindows users only. Controls if file based public key authentication is enabled or not. When enabled, the server will grant access to users based on the public keys in the file specified by the SSHPublicKeyFileName setting.

  • 0 - Off: File based public key authentication is disabled. (default)
  • 1 - On: File based public key authentication will be allowed.

SSHPublicKeyFileNameStringWindows users only. Specifies the location on disk of the file containing authorized public keys. The server will grant access to users that authenticate with a private key associated with one of the public keys in this file.

The authorized keys file should contain a list of public keys in SSH public key format separated by newlines. Empty lines and lines starting with a # are ignored as comments. Additionally, you can control the IP addresses from which the key may be used by using the "from" keyword in the authorized keys file.

Example:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAqs5hvGvJ3CM2Ink93x...tW3yw== rsa-key-20191008 ssh-rsa AAAAB3NzaC1kc3MAAAEBAK5qBqJnjNH7KH0bJR61vc+JuX...wOE8A== rsa-key-20200515

Only accept connections using the specified public key from 192.168.1.12: from="192.168.1.12" ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822

Only accept connections using the specified public key for the IP Address range 192.168.1.30 - 192.168.1.39: from="192.168.1.3?" ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822

Only accept connections using the specified public key for the IP Address range 192.168.1.100 - 192.168.1.199: from="192.168.1.1??" ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822

Only accept connections using the specified public key for the IP Address range 192.168.0.12 - 192.168.255.12 (must end in .12): from="192.168.*.12" ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822

Only accept connections using the specified public key for the IP Address range 192.168.1.0 - 192.168.1.255 EXCEPT 192.168.1.12: from="192.168.1.*,!192.168.1.12" ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822

As demonstrated above, the special characters "?", "!", and "*" may be used to specify an IP address pattern that is to be matched.

The value data in this registry setting may contain the %USERNAME% macro, which the server will substitute with the name of the user when they attempt to authenticate. This allows you to load an authorized keys file stored separately for each user.

Only IPv4 addresses are currently supported. Hostname matching and IPv6 address matching are currently not supported.

SSHUseStrictKeyExchangeDWORDThis setting controls whether strict key exchange (strict kex) is enabled to mitigate the Terrapin attack. When enabled, the application will indicate support for strict key exchange by automatically including the pseudo-algorithm kex-strict-c-v00@openssh.com for client applications and kex-strict-s-v00@openssh.com for server applications in the list of supported key exchange algorithms.

Since both client and server must implement strict key exchange to effectively mitigate the Terrapin attack, the application provides options to further control the behavior in different scenarios. Possible values for this setting are:

0Disabled. Strict key exchange is not supported in the application.
1 (default)Enabled, but not enforced. This setting enables strict key exchange, but if the remote host does not support strict key exchange the connection is still allowed to continue.
2Enabled, but reject affected algorithms if the remote host does not support strict key exchange. If the remote host supports strict key exchange all algorithms may be used. If the remote host does not support strict key exchange the connection will only continue if the selected encryption and MAC algorithms are not affected by the Terrapin attack.
3Required. If the remote host does not support strict key exchange the connection will fail.

SvcLogFileStringIf present, the trace information generated by the server will be written to the specified file.
SyslogDaemonHostStringWhen running as a Windows service the SSH process will send log messages to the UI process. These are the messages which are logged in the Service tab. By default this communication happens on the loopback adapter of the system. To send these log messages to a different host instead of the UI process set this to the hostname or IP address of the destination to which the Syslog messages will be sent. Syslog facility 23 is used to identify messages from SFTP Server and filter out any other syslog traffic.
SyslogDaemonPortDWORDWhen running as a Windows service the SSH process will send log messages to the UI process. These are the messages which are logged in the Service tab. By default this communication happens on the loopback adapter of the system on port 514. If this port is in use or another port is desired, set it here. This specifies the port on which the UI process will listen for incoming log messages and also the port from which the log messages are sent from the SSH process.
UseFIPSCompliantAPIDWORDDetermines if only FIPS compliant algorithms and API calls are made during SSH or SSL sessions. This is false by default. Possible values:

  • 0 - Off: Non-FIPS compliant algorithms are allowed (default).
  • 1 - On: Only FIPS compliant algorithms are allowed, and cryptographic calls are made only to FIPS compliant APIs.

UseIPv6DWORDControls whether IPv4 or IPv6 is used when listening. Connecting clients will need to connect using the appropriate IP version. Possible values are:

  • 0 - Off: IPv4 is used (default).
  • 1 - On: IPv6 is used.

UserAuthBannerStringSets the User Authentication Banner, which is displayed to the client before they provide authentication, for example before a password prompt. This can also be set in the interface using the "Login Banner" field.
WireEncodingStringControls the encoding used by the server on the wire for text sent and received by the server. By default, the server will use ISO-8859-1 (Latin-1) encoding.

Authorized Keys

SFTP Server may be configured to authorize users against known public keys. When a client performs public key authentication, it presents a signature created with the private key. The server will try to verify the signature is valid using each of the known public keys until it finds a match.

To add an approved public key, you may either specify it directly in the New User... form or add it to the registry. Possession of a private key which corresponds to an allowed public key serves as authentication.

Known public keys can be added to the Windows Registry at the following location. If the key does not exist go ahead and create it.

HKEY_LOCAL_MACHINE\SOFTWARE\nsoftware\SFTPServer\22\AuthorizedKeys

Create a new String value and set the value data to the public key in SSH public key format as specified by RFC 4253 (also known as OpenSSH public key format). Briefly, an OpenSSH public key consists of three parts all on a single line:

  • The key type
  • A chunk of PEM-encoded data
  • A comment

Example:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQ...w== rsa-key-20191008

The name of the String value is not used, but it is recommended to set this to the name of the user that the public key corresponds to for organizational purposes.

Users

The following values can be configured independently for each user, at HKEY_LOCAL_MACHINE\SOFTWARE\nsoftware\SFTPServer\22\Users:

NameTypeDescription
AuthenticationTypeDWORDSpecifies the type of authentication required to connect to the server.

  • 0 - Password
  • 1 - Public Key
  • 2 - Allow Any (Password or Public Key)
  • 3 - Multi-factor (Password + Public Key)
  • 4 - Windows

DisplayNameStringContains a readable name for the client shown on the Users tab.
UserNameStringContains the client name.
PasswordStringContains the password for the client.
RootDirectoryStringSpecifies the default directory of the client after starting a channel. In addition, it tells the server to overwrite the global root directory for this user. As a result, the client is jailed to this location because client perceives its working directory as the root of the entire server.

Note: If UseDefaultDirectory is enabled, the value stored in this setting is ignored.

ReadOnlyDWORDSpecifies that this user may only read files and directories. Any attempt to create, update or delete files or folders will be denied.

  • 0 - Disabled
  • 1 - Read-only access

StoreNameStringWindows users only. Tells the server to look for client certificates in the specified store.
StoreTypeDWORDWindows users only. Tells the server to look for client certificates in the Machine or User stores.

  • 0 - User (Default)
  • 1 - Machine

MechanismsDWORDWindows users only. Specifies the authentication mechansism to be used.

  • "All"
  • "Kerberos"
  • "NTLM" (Default)

LogonTypeStringWindows users only. Controls the type of logon performed by the application when attempting to authenticate users. Network is more secure, but access to remote network resources is prohibited. Interactive logon allows access to remote network resources.

  • "Network Logon" (Default)
  • "Interactive Logon"

UseDefaultDirectoryDWORDControls the default directory behavior for the client. When enabled, the server will use the default location for this user. The default location is the root of the server, which can be specified on the Server Settings page.

  • 0 - The location is specified by the RootDirectory setting instead.
  • 1 - Use the default location (Default)

EnabledDWORDWhether the server will authorize the user or not. When enabled, the server will authorize the user.

  • 0 - Refuse authorization
  • 1 - Allow authorization (Default)

EnableGSSAPIDWORDWindows users only. Whether the server will allow the GSSAPI authentication mode for the user.

  • 0 - Disabled (Default)
  • 1 - Enabled

EnablePublicKeyDWORDWindows users only. Whether the server will allow Windows store based public key authentication for the user. When enabled, the StoreName and StoreType configuration settings will contain the location the server will look for client certificates.

  • 0 - Disabled (Default)
  • 1 - Enabled

EnablePasswordDWORDWindows users only. Whether the server will allow password authentication via Windows Authentication mechanisms.

  • 0 - Disabled (Default)
  • 1 - Enabled