Setting Up FTP^H^H^H SFTP In A Hurry For File Uploads Using OpenSSH

Want to support HowtoForge? Become a subscriber!
 
Submitted by orange (Contact Author) (Forums) on Mon, 2011-03-21 17:42. :: FTP

Setting Up FTP^H^H^H SFTP In A Hurry For File Uploads Using OpenSSH

Secure file transfer gets too little attention, perhaps because it is too easy. For secure file transfer without the need of special programs or clients, nothing more is needed than to have the OpenSSH server installed and running. It has a built-in SFTP subsystem that is available to any account that can log in. In other words, for basic SFTP access, nothing needs to be done other than have an account accessible via SSH.

Again, for basic SFTP uploads and downloads, nothing in the default OpenSSH installation needs to be changed.  It's already there, ready to be used.

 

Adding complexity - SFTP accounts without shell access

Removing shell access while still allowing SFTP access is a simple as three steps, if OpenSSH server is already installed.

  1. Create a user group, e.g. sftponly
  2. Add users to that group
  3. Add a corresponding Match directive to sshd's configuration in /etc/ssh/sshd_config:
    Subsystem sftp internal-sftp

    Match Group sftponly
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

 

More complexity - Chrooted SFTP accounts without shell access

Making a chroot jail of the SFTP users' home directories is also as easy to set up in OpenSSH.

  1. Create a user group, e.g. sftponly
  2. Add users to that group
  3. Add a corresponding Match directive to sshd's configuration in /etc/ssh/sshd_config:
    Subsystem sftp internal-sftp

    Match Group sftponly
    ChrootDirectory %h
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

It's that easy.

 

Time to say goodbye to FTP and FTPS

The name "FTP" is often misused to mean file transfer using a special client. However, it is a specific protocol.

Plain FTP is insecure. The entire session, from username and password at the beginning, to data transfer at the end, is done without encryption. All accounts that use it can be considered compromised. It is the protocol itself that is insecure. FTP also requires adding and configuring special server software, whereas most servers usually have SSH, and thus SFTP, up and running.

FTP tunneled over SSL/TLS is FTPS. In contrast, SFTP is a new protocol designed from the ground up for secure file transfer. FTPS requires even more setup than FTP, whereas SFTP is running out of the box wherever there is an OpenSSH server.

 

Conclusion

Without extra effort, SFTP is already available wherever an OpenSSH server is running. With minimal changes, shell access can be turned off for SFTP users and even chrooted.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Tue, 2011-03-22 17:58.
I see you tried to erase FTP to replace it with SFTP. Down with the backspace key!
Submitted by Anonymous (not registered) on Tue, 2011-03-22 10:02.
It would be good to mention that "ChrootDirectory" configuration option is available from version 4.8p1 onwards....
Submitted by Anonymous (not registered) on Tue, 2011-03-22 03:45.
Please note that you need to have OpenSSH version, 5.1 or greater to take advantage of this (ForceCommand was added in 4.4, ChrootDirectory was added in 4.8.1 and Match group in ?5.1 i think?). Unfortunately, CentOS/RHEL 5 only backports security fixes so you'll have to wait for RHEL 6 or compile your own version.