Server configuration
Server configuration is done in config.yaml
file. The file uses YAML format.
bindings
Port and IP address bindings. By default the server will bind to any IP address, listen on port 22 and will serve both SFTP and SCP protocols. You can specify multiple bindings. You can also use hostname instead of IP address - the address(es) will be resolved for you.
bindings:
- { port: 22, ipAddress: 0.0.0.0, sftp: true, scp: true }
- { port: 22, ipAddress: test.rebex.net, sftp: true, scp: true }
ipFilter
IP filtering rules. Allow list has priority over deny list. By default all IP addresses are allowed. To block all incoming requests (except for those in ‘allow’) add 0.0.0.0/0
(all IPv4) and ::/0
(all IPv6) to deny section.
Please note that IPv6 addresses must be enclosed in double quotes as required by YAML format.
ipFilter:
deny:
# single IP address
- 192.168.66.12
# CIDR notation
- 192.168.66.12/24
allow:
# Address range
- 192.168.66.0-192.168.66.10
# IPv6
- "2001:db8::/48" # quotes required
keys
Path(s) to private keys to be used by the server. If no keys are specified then keys will be searched for in the following locations:
<config root>/keys
(see configuration files for more details)<application root>/keys
Relative file paths use application installation directory as root. Password-protected keys are not supported.
keys:
# Directory where keys are stored
- keys/
# Private key file
- /home/my_private_key
logging
No logs will be saved unless you specify log location. Logs are aggregated daily and will be kept forever unless you specify otherwise. Make sure that the user the server service uses has write access to the locations specified.
logging:
# Access log (user activity over SSH)
access:
# Directory where logs will be kept
location: D:\buru\logs\access
# keep files forever
maxFileCount: 0
# Server log (for debugging purposes)
server:
location: D:\buru\logs\server
# Minimal log level to write. Set to warning by default.
# Supported values are: verbose, debug, information, warning, error and fatal.
minLevel: warning
# keep at most 31 files (~1 month)
maxFileCount: 31
Experienced users can enable custom logging using useCustomConfig
option. You can find more details on dedicated documentation page.
When custom configuration is enabled then any access
or server
settings (described above) are ignored.
logging:
useCustomConfig: true
security.accountLockoutPolicy
Specifies conditions for account lockout
threshold
- number of unsuccessful login attempts after which account will be locked out. Set to 0 to disable. Default: 10lockoutDurationSeconds
- time period in seconds a locked-out account remains locked out before automatically becoming unlocked. Default: 900 (15 minutes)resetCounterPeriodSeconds
- time period in seconds following last unsuccessful login after which the lockout counter will be set back to zero. Must be same or greater thanlockoutDurationSeconds
. If no value is specified thenlockoutDurationSeconds
value is used.
security:
accountLockoutPolicy:
# Lockout account after 10 failed logins for 15 minutes, reset counter after 30 minutes
threshold: 10
lockoutDurationSeconds: 900
resetCounterPeriodSeconds: 1800
ssh
SSH Configuration. We recommend to use only __MODERN
suites if possible; for maximum compatibility without compromising too much on security use __INTERMEDIATE
.
See SSH algorithms for more details.
-
encryptionAlgorithms
- encryption algorithms. Default value:['__MODERN']
. Currently supported algorithms are, along with their macros:__MODERN
(secure suites):aes256-gcm@openssh.com
,aes128-gcm@openssh.com
,aes256-ctr
,aes192-ctr
,aes128-ctr
,chacha20-poly1305@openssh.com
,twofish256-ctr
,twofish192-ctr
,twofish128-ctr
__INTERMEDIATE
(best compatibility): all of the above, plus:aes256-cbc
,aes192-cbc
,aes128-cbc
,twofish256-cbc
,twofish192-cbc
,twofish128-cbc
,twofish-cbc
,3des-ctr
,3des-cbc
__ALL
(all suites, including insecure - NOT RECOMMENDED): all of the above, plus:arcfour256
,arcfour128
,arcfour
,blowfish-ctr
,blowfish-cbc
-
hostKeyAlgorithms
- host key algorithms. Default value:[
__MODERN]
. Currently supported algorithms are, along with their macros:__MODERN
(secure suites):ssh-ed25519
,ecdsa-sha2-nistp521
,ecdsa-sha2-nistp384
,ecdsa-sha2-nistp256
,rsa-sha2-512
,ssh-rsa-sha256@ssh.com
,rsa-sha2-256
__INTERMEDIATE
(best compatiblity): all of the above, plus:ssh-dss
,ssh-rsa
,x509v3-sign-rsa
,x509v3-sign-dss
__ALL
(all suites, including insecure - NOT RECOMMENDED): all of the above (currently plus nothing extra)
-
kexAlgorithms
- key exchange algorithms. Default value:['__MODERN']
. Currently supported algorithms are, along with their macros:__MODERN
(secure suites):curve25519-sha256
,curve25519-sha256@libssh.org
,ecdh-sha2-nistp521
,ecdh-sha2-nistp384
,ecdh-sha2-nistp256
,diffie-hellman-group16-sha512
,diffie-hellman-group15-sha512
,diffie-hellman-group-exchange-sha256
__INTERMEDIATE
(best compatibility): all of the above, plus:diffie-hellman-group14-sha256
,diffie-hellman-group14-sha1
,diffie-hellman-group-exchange-sha1
__ALL
(all suites, including insecure - NOT RECOMMENDED): all of the above, plus:diffie-hellman-group1-sha1
-
macAlgorithms
- MAC algorithms. Default value:['__MODERN']
. Currently supported algorithms are, along with their macros:__MODERN
(secure suites):hmac-sha2-512-etm@openssh.com
,hmac-sha2-256-etm@openssh.com
,hmac-sha2-512
,hmac-sha2-256
__INTERMEDIATE
(best compatiblity): all of the above, plus:hmac-sha1
,hmac-sha1-96
__ALL
(all suites, including insecure - NOT RECOMMENDED): all of the above, plus:hmac-md5
,hmac-md5-96
-
maxIdleDurationSeconds
- maximum session idle duration in seconds. When this duration expires, session is disconnected. Set the value to0
to disable. Default:86400
(1 day) -
maxSessionDurationSeconds
- maximum session duration in seconds. When this duration expires, a session renegotiation occurs. Set the value to0
disable. Default:86400
(1 day) -
maxSessionTransferredBytes
- maximum number of bytes transferred during a session. When this value is reached, a session renegotiation occurs. Set the value to0
to disable. Default:1073741824
(1 GB) -
shellHostName
- server name visible to the clients -
softwareVersion
- use custom software version in SSH protocol version exchange
ssh:
softwareVersion: MyServer_1.0.0
encryptionAlgorithms: ['__MODERN', '3des-ctr', '3des-cbc']
hostKeyAlgorithms: ['__MODERN']
kexAlgorithms: ['__MODERN', 'diffie-hellman-group14-sha1']
macAlgorithms: ['__INTERMEDIATE']
maxIdleDurationSeconds: 86400
maxSessionDurationSeconds: 86400
maxSessionTransferredBytes: 1073741824
shellHostName: myserver
sshShell
SSH shell behavior configuration. Most of these settings can be overridden per user.
allowSystemAccount
- Allow system account to spawn terminal and other processes. Default:false
defaultShellType
-(none|terminal|legacy)
Type of shell. Default:none
none
: No shell (except for minimal shell when SCP is enabled) will be available.terminal
: Virtual terminal will be presented. Only available on Windows 10 version 1809 and newer, Windows Server 2019 and newerlegacy
: Minimal shell will be available, with SSH aliases support.
defaultShellPath
- Path to default shell executable. Only applicable forterminal
shell. Default:cmd.exe
defaultHomeDirectory
- Path to default home directory. Only applicable forterminal
shell. Default: Buru SFTP Server home directory.
sshShell:
allowSystemAccount: false
defaultShellType: terminal
defaultShellPath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
defaultHomeDirectory: C:\
sshTunneling
EXPERIMENTAL
This feature is experimentalDisabled by default, without any implicit bindings.
sshTunneling:
enabled: true
bindings:
- { port: 22, ipAddress: 0.0.0.0 }
users
User and password policies
passwordHashAlgorithm
- supported values are SHA256, SHA384 or SHA512 (default).passwordHashAutoUpdate
- auto-update hash on user login when hash is outdated (algorithm or salt size differ from settings). Enabled by default.passwordSaltSize
- size of salt in bytes. Allowed range is 8-256 bytes. Default value is 20.usernamePattern
- user name regular expression filter. Default:^[a-zA-Z0-9_\@\-\.]{1,128}$
(any alphanumeric characters and/or any of ‘_-@.’)
users:
passwordHashAlgorithm: SHA512
passwordHashAutoUpdate: true
passwordSaltSize: 20
usernamePattern: "^[a-zA-Z0-9_\\@\\-\\.]{1,128}$"