Use the SSH and SSH Ciphers tab of the MOVEit Transfer Configuration utility to configure the SSH server. Run the configuration program by choosing the Start menu shortcut MOVEit Transfer Config.

Note: Users, groups, folder settings and the like are generally maintained through the Web Interface or MOVEit Transfer API.

SSH Server Configuration Update Interval

MOVEit Transfer SSH server applies configuration changes immediately. The changes will take effect the next time a new connection is established.

Exception: If a change is made to the SSH port, the MOVEit Transfer SSH service must be restarted for this change to take effect.

SSH Tab

The MOVEit Transfer Config Utility SSH tab enables you to view and configure the SSH server running on the current MOVEit Transfer server host.

SSH tab (default SSH version shown)

SSH Configuration

Use the SSH Configuration panel to configure the SSH server used by MOVEit Transfer.

SSH Server Key

This is the public key used for SSH sessions. The key is generated internally and the MD5 hash of the key displayed here for reference only. There is no mechanism to edit this value. Use the View button next to the MD5 field to view and/or export the entire SSH public key.

To export the MOVEit Transfer SSH public key, click the View button on the SSH tab of the MOVEit Transfer Config utility. The dialog will show you the key in two different formats. Select all the text in the window displaying the format you wish to export, press CTRL+C to copy the text, then save it into a text file of your choice.

Tip: The MOVEit DMZ SSH server key never changes, so it's probably worth the extra time to export both formats of the same SSH server key while you're in the dialog. If you save these off (perhaps on an internal server) you may never need to come back to the SSH tab again.
SSH Port:

This is the TCP/IP port that the SSH server listens for incoming connection requests.. The default for SSH is port 22.

Bind to IP Address

Leave blank to bind to all available IP addresses (default). Enter a specific IP address to bind the SSH server to a specific IP address.

Server Keys

The Server Keys window shows the MD5 hash of the internally generated RSA 2048-bit server key. You cannot edit or remove this default key.

If your MOVEit Transfer configuration has multiple organizations, you may want to add a different server key for each organization. Doing so will make it easier to change only one organization’s server key without affecting other organizations.

To add a new Server Key:

  1. Click Add and then select the desired key type and size:

    The DSS key type provides digital signatures but not key exchange or encryption. With DSS, signature generation is faster than signature verification.

    The RSA key types provide digital signatures, key exchange, and encryption. With RSS, signature verification is faster than signature generation.

    After you select a key type and size, the Add SSH Server Key window displays:

    This window shows the key details, including:

    • Fingerprint
    • OpenSSH Format
    • SSH2 Format
  2. Enter a Name for the key and click OK.

    The new key adds to the Server Keys window.

    To edit a key's name, select the key and click Edit.

    To remove a key, select the key and click Remove.

    To make a key the default SSH server key, select the key and click Default. The current default key will be renamed to "OldDefault-year-month-day_xxxxxx" and the name of the key you have selected will be renamed "default."

  3. When you see the Confirm SSH key rename message, click OK.

Alternate Bindings

If your MOVEit Transfer system has multiple organizations and it allows duplicate usernames across organizations, you can direct users to the IP address of their specific organization during signon by adding an alternate binding. You can also assign a unique server key to an organization so that any changes you make to that server key will affect only that organization.

Alternate Bindings lets you associate a Server IP, Server Key, and Organization.

To add an alternate binding:

  1. Under Alternate Bindings, click Add.

    The Add SSH Alternative Binding dialog displays.

  2. Enter the following:
    • Server IP Address: Enter a distinct IP address that does not already have an alternate binding. Do not select the default Bind to IP Address (0.0.0.0.).
    • Server Key: Select a server key from the drop-down list to bind to the Server IP address. Server keys appear here only if they have already been added to the Server Keys window.
    • Organization: Select an organization from the drop-down list to bind to the Server IP address. In addition to your MOVEit Transfer organizations, you will see the following organizations in the drop-down list:
    • (default): Any organization can be assigned as the default. See Web Interface - Settings - System - Miscellaneous for information on how to assign a default organization.
    • (System): The System Organization is used by SysAdmins to administer system-wide settings and create and maintain other organizations. It is not likely that you will create an alternative binding for the System organization.
  3. Click OK.

    The new binding adds to the Alternate Bindings window.

    To edit the Server IP, Server Key, and Organization of a binding, select the binding and click Edit.

    To remove a binding, select the binding and click Remove.

Use Default SSH Server Version Control

Control for Selecting Legacy or Standard (default) SSH Service

Service Control Description
Revert to Legacy SSH Service When visible, this control indicates the standard (default) SSH service is running. This is the preferred state.

(To use this control to revert MOVEit Transfer to run the older legacy service is not recommended.)
Use Default SSH Service If visible, this control indicates that the legacy SSH service is running. (Using the legacy service is not best practice.)

Diagnostic Logs (set on Status tab)

The MOVEit Transfer SSH server diagnostic log settings can be changed on the Status tab of the configuration utility. See the Log Settings section (Status Tab) of the Configuration Utility for details.

Paths (set on Paths tab)

The MOVEit Transfer SSH server communicates with MOVEit Transfer using the Machine URL configured on this tab. See the Paths tab for details.

SSH Ciphers Tab

Tip: In general, more secure algorithms are made available by the latest version of MOVEit Transfer. Also note, if you select strict FIPS mode this will reduce the list to algorithms that comply with the FIPS standard.

The SSH Ciphers Tab includes:

  • SSH Ciphers. Algorithms available for encoding data and their priority.
  • Hash Functions. Hash-based Message Authentication Codes used and their priority.
  • Key exchange algorithms. Algorithms available to exchange a session key and their priority.
Note: You can use the SSH Ciphers tab to select a group (subset) of ciphers that enable FIPS mode. This mode provides cryptographic capabilities and algorithms that conform to Federal Information Processing Standards (FIPS 140-2).
Important: The list of algorithms you can select from depends on server and policy constraints. For example, if you enable FIPS mode, a subset of more secure FIPS-conforming algorithms displays.
The encryption and hashing algorithms that the MOVEit Transfer SSH server uses can be configured on the SSH Ciphers Tab. (The encryption and hashing algorithms used by the MOVEit Transfer SSL servers - both HTTPS and FTPS - are also configurable.)

This tab lets you select the ciphers and hash functions used to secure the SSH connection.

For FIPS and PCI compliance, you may need to prevent the use of weak ciphers. For example, a PCI audit may flag the use of ciphers, such as MD5 and MD5-96. FIPS-approved cryptographic methods for SSH include (as of September 2015) 3des-cbc, aes128-cbc, aes192-cbc, and aes-256 ciphers with hmac-sha2-512, hmac-sha2-256, hmac-sha1, hmac-md5, hmac-sha1-96, and hmac-md5-96 as the approved hash functions.

Note: Both the client's and the server's preferences are taken into consideration when choosing the actual cipher and hash function for a given session. There must be a common cipher and hash function on both sides or there will be an error.

Selecting SSH Ciphers

The SSH Ciphers section allows you to choose which ciphers are permissible, and their order of preference. By default, all ciphers available to the current MOVEit Transfer platform are available.

  1. Select the Enabled check box to disable a selected entry or to enable an unselected entry.
  2. For order of precedence, use the arrow buttons to move entries up or down in the list. (Entries closer to the top of the list are given preference over entries lower down.)
    Note: If you must permit weak ciphers or hashes, you should always put the stronger options at the top of the list.

FIPS Mode

The MOVEit Transfer default SFTP library provides cryptographic capabilities and algorithms that conform to Federal Information Processing Standards (FIPS 140-2). The FIPS validated secure encryption, key exchange, host key, client key, MAC, and compression algorithms are available in the MOVEit Transfer Config Utility.

To select FIPS mode:

  1. Click the Enable FIPS Mode checkbox to limit the SSH Ciphers, Hash Functions, and Key Algorithms to a subset that conform to the FIPS standard.
  2. Verify/check that you have reduced the list of ciphers to the subset that conforms to the FIPS standard.

SSH Ciphers Tab with FIPS Mode Checkbox Selected

Selecting SSH Hash Functions

The SSH Hash Functions section allows you to choose which hash functions are permissible, and their order of preference. By default, all hash functions available to the current MOVEit Transfer platform will be available..

Note: Hash function are used to determine message integrity.
  1. Select the Enabled check box to disable a selected entry or to enable an unselected entry.

    Entries closer to the top of the list are given preference over entries lower down.
  2. Use the arrow buttons to move entries up or down in the list.