Setting Up FTP^H^H^H SFTP In A Hurry For File Uploads Using OpenSSH
Secure file transfer gets too little attention, perhaps because it is too easy. For secure file transfer without the need of special programs or clients, nothing more is needed than to have the OpenSSH server installed and running. It has a built-in SFTP subsystem that is available to any account that can log in. In other words, for basic SFTP access, nothing needs to be done other than have an account accessible via SSH.
Again, for basic SFTP uploads and downloads, nothing in the default OpenSSH installation needs to be changed. It's already there, ready to be used.
Adding complexity - SFTP accounts without shell access
Removing shell access while still allowing SFTP access is a simple as three steps, if OpenSSH server is already installed.
- Create a user group, e.g. sftponly
- Add users to that group
- Add a corresponding Match directive to sshd's configuration in /etc/ssh/sshd_config:
Subsystem sftp internal-sftp
Match Group sftponly
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
More complexity - Chrooted SFTP accounts without shell access
Making a chroot jail of the SFTP users' home directories is also as easy to set up in OpenSSH.
- Create a user group, e.g. sftponly
- Add users to that group
- Add a corresponding Match directive to sshd's configuration in /etc/ssh/sshd_config:
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory %h
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
It's that easy.
Time to say goodbye to FTP and FTPS
The name "FTP" is often misused to mean file transfer using a special client. However, it is a specific protocol.
Plain FTP is insecure. The entire session, from username and password at the beginning, to data transfer at the end, is done without encryption. All accounts that use it can be considered compromised. It is the protocol itself that is insecure. FTP also requires adding and configuring special server software, whereas most servers usually have SSH, and thus SFTP, up and running.
FTP tunneled over SSL/TLS is FTPS. In contrast, SFTP is a new protocol designed from the ground up for secure file transfer. FTPS requires even more setup than FTP, whereas SFTP is running out of the box wherever there is an OpenSSH server.
Conclusion
Without extra effort, SFTP is already available wherever an OpenSSH server is running. With minimal changes, shell access can be turned off for SFTP users and even chrooted.