Hello folks - today I will be sharing about SFTP.
SFTP is an acronym for Secure File Transfer Protocol. SFTP, or secure FTP, is a program that uses SSH to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network. It is functionally similar to FTP, but because it uses a different protocol, you can't use a standard FTP client to talk to an SFTP server, nor can you connect to an FTP server with a client that supports only SFTP.
Now, in this article I will be providing necessary configuration details for configuring SFTP server to transfer files & with / with out SSH access by a SFTP user account. We will be using OpenSSH 5.8 for this configuration. First we need to install the necessary dependencies for the OpenSSH package.
SFTP is an acronym for Secure File Transfer Protocol. SFTP, or secure FTP, is a program that uses SSH to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network. It is functionally similar to FTP, but because it uses a different protocol, you can't use a standard FTP client to talk to an SFTP server, nor can you connect to an FTP server with a client that supports only SFTP.
Now, in this article I will be providing necessary configuration details for configuring SFTP server to transfer files & with / with out SSH access by a SFTP user account. We will be using OpenSSH 5.8 for this configuration. First we need to install the necessary dependencies for the OpenSSH package.
# yum install gcc
# yum install openssl-devel
# yum install pam-devel
# yum install rpm-build
Now, downloading the OpenSSH package[in the current scenario, I've chose version 5.8, you can choose whats best for you]:-
# wget http://openbsd.org.ar/pub/OpenBSD/OpenSSH/portable/openssh-5.8p2.tar.gz
# wget http://openbsd.org.ar/pub/OpenBSD/OpenSSH/portable/openssh-5.8p2.tar.gz.asc
Now, downloading the OpenSSH package[in the current scenario, I've chose version 5.8, you can choose whats best for you]:-
# wget http://openbsd.org.ar/pub/OpenBSD/OpenSSH/portable/openssh-5.8p2.tar.gz
# wget http://openbsd.org.ar/pub/OpenBSD/OpenSSH/portable/openssh-5.8p2.tar.gz.asc
Now that we have the gunzip file, we need to unzip the package, then build the RPM file and install the RPM. We can disable the building of GUI components in the spec file as we don’t need this GUI on a server:
# tar –xvzf openssh-5.8p2.tar.gz
# cp openssh-5.8p2/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/
# cp openssh-5.8p2.tar.gz /usr/src/redhat/SOURCES/
# cd /usr/src/redhat/SPECS
# perl -i.bak -pe 's/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/' openssh.spec
# rpmbuild -bb openssh.spec
# cd /usr/src/redhat/RPMS/`uname -i`
# rpm -Uvh openssh*rpm
Once the rpm installation is done, lets restart the ssh daemon & closely watch for errors if any.
# service sshd restart
Next will be to change few settings in ssd-config file: [here i've provided a sample configuration file for better understanding with the available options and modified ones]
# vi /etc/ssh/sshd-config
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
ClientAliveInterval 60
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
# override default of no subsystems
#Subsystem sftp /opt/libexec/sftp-server
Subsystem sftp internal-sftp
DenyUsers root wuser
DenyGroups root nossh
#DenyGroups nossh
#Manual configuration
Match Group sftp
#ChrootDirectory %h
ChrootDirectory /ftpdir/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Third Step will be creating SFTP group, SFTP users & directory permissions. So lets create a group for SFTP.
Next, lets create a directory for file transfers, name it as ftpdir under /.
Next create a sftp user called sftpuser1 with default home diretory as /ftpdir
# /usr/sbin/groupadd sftp
Next, lets create a directory for file transfers, name it as ftpdir under /.
# mkdir /ftpdir
Next create a sftp user called sftpuser1 with default home diretory as /ftpdir
#/usr/sbin/useradd -g sftp -s /usr/libexec/openssh/sftp-server -d /ftpdir sftpuser1
Then change ownership of /ftpdir as it will be the Chroot Directory and it should be owned by root but group of sftp
#chown root:sftp /ftpdir
Then setting permissions for the user, read and execute for the group and others
Now, directory specific to sftpuser1
#chmod 755 /ftpdir
Now, directory specific to sftpuser1
#mkdir /ftpdir/sftpuser1
Next, changing the ownership of /ftpdir/sftpuser1 to the user sftpuser1 belongs to sftp group
#chown sftpuser1:sftp /ftpdir/sftpuser1
Next is changing the permissions for /ftpdir/sftpuser1, Read,write,execute for sftpuser1 user, read & execute for the group users of sftp and others.
#chmod 755 /ftpdir/sftpuser1
Now,create a password for sftpuser1
#passwd sftpuser1
In the end, restart the sshd service to commit all the changes
#/sbin/service sshd restart
Now, test the sftp user using a sftp client such as Bit Tunnelier - http://www.bitvise.com/tunnelier , Private Shell - http://www.privateshell.com/ or FileZilla - http://www.upenn.edu/computing/help/doc/ftp/filezillasftp.html
Once the connectivity is tested now, follow these next steps only if SSH connectivity has to be disabled for the sftpuser1 and thus providing connectivity only through a GUI client tool, then
modify the last line as /dev/null in the last section only
sftpuser1:x:508:514::/ftpdir:/dev/null
Save the file and then restart SSH Daemon for the changes to be effective. And that's it folks, we are all set for the Secure File Transfer.
Keep rocking fellows, see ya next time with one another challenging topic.
Once the connectivity is tested now, follow these next steps only if SSH connectivity has to be disabled for the sftpuser1 and thus providing connectivity only through a GUI client tool, then
# vi /etc/passwd
modify the last line as /dev/null in the last section only
sftpuser1:x:508:514::/ftpdir:/dev/null
Save the file and then restart SSH Daemon for the changes to be effective. And that's it folks, we are all set for the Secure File Transfer.
Keep rocking fellows, see ya next time with one another challenging topic.
Hi there,
ReplyDeleteThis one is really a good post. It is going to help everyone a lot. All the configuration details for configuring SFTP server to transfer files is covered in the blog is quite impressive. Thanks for sharing this configuration details with us.
Secure FTP Hosting