Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS Transfer Family: TransferSecurityPolicy-2024-01 vs 2018-01 (ssh-rsa support)

0

We are currently working with AWS Transfer Family and evaluating security policies for our SFTP setup.

We observed the following differences:

TransferSecurityPolicy-2024-01 does not support legacy algorithms such as ssh-rsa and ssh-dss. TransferSecurityPolicy-2018-01 still supports these older algorithms.

This is creating compatibility issues, as some of our existing clients are still using ssh-rsa.

Topics
Migration & Modernization
Tags
AWS Transfer FamilyAWS Transfer for SFTP
Language
English
asked a month ago67 views
1 Answer
6

I think the primary reason for the compatibility issue is that TransferSecurityPolicy-2024-01 deprecates the SHA-1 hash algorithm, which is used by the legacy ssh-rsa public key algorithm. Key Differences:

  • TransferSecurityPolicy-2018-01: Supports legacy algorithms including ssh-rsa (SHA-1) and ssh-dss (DSA).
  • TransferSecurityPolicy-2024-01: Strictly requires modern, secure algorithms. It disables ssh-rsa (SHA-1) and ssh-dss entirely.

Important Clarification on RSA:

The 2024-01 policy still supports RSA keys, but only when used with secure transport signatures: rsa-sha2-256 or rsa-sha2-512.

Why your clients are failing:

If your clients are using older SFTP software (e.g., outdated versions of WinSCP, FileZilla, or JSch), they likely only support the original ssh-rsa (SHA-1) signature scheme. Since the 2024 policy blocks SHA-1, the connection is rejected during the handshake.

I would try:

  1. Upgrade Clients: Ask users to update their SFTP clients. Modern versions will automatically use rsa-sha2-256 with their existing RSA keys.

  2. Use a Transition Policy: If you cannot update all clients immediately, consider TransferSecurityPolicy-2022-03. It provides a better security baseline than 2018 while maintaining broader compatibility.

  3. Legacy Support: If you must support legacy systems that cannot be updated, you will have to stick with 2018-01, but be aware that this may trigger warnings in security audits (e.g., SOC2 or PCI DSS) due to the use of SHA-1.

EXPERT
answered a month ago
  • Alex
    a month ago

    It is important to mention that TransferSecurityPolicy-2018-01 should not be used and instead TransferSecurityPolicy-Restricted-2018-01 is the better choice for legacy systems. There are identical in all respects but the latter excludes the chacha20 algorithm which has known vulnerabilities.

    Same reasoning applies to TransferSecurityPolicy-2020-06 and TransferSecurityPolicy-Restricted-2020-06.

  • Pulkit agarwal
    a month ago

    Thanks for your answer but just want to verify if TransferSecurityPolicy-2022-03 will still be able to support ssh-rsa ?? as it was supported by TransferSecurityPolicy-2018-01.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content