Rackspace Cloud Essentials - Secure File Transfer Protocol (SFTP)


An alternative to using vsftpd, Secure FTP (SFTP) is another secure method of transferring files from one server to another.

Contents

//

Installation

SFTP (SSH File Transfer Protocol) is part of the SSH package, and the SSH package should be on your server by default.  You don't need to install anything else to support SFTP.

Configuration

Your SSH server should have SFTP enabled by default, so if you're able to make SSH connections you should be able to use SFTP without additional configuration.

If you want to make sure of that, the pertinent section in the SSH server's config file (usually "/etc/ssh/sshd_config") should look like:

# override default of no subsystems
Subsystem	sftp	/usr/libexec/openssh/sftp-server

So long as that Subsystem entry is there for the sftp server you're good.  If you can't find that line in your sshd_config you can add it to the end of the file and then restart the SSH server to enable sftp.You can learn more about configuring the SSH server in our article on basic Linux server security.

Security

As mentioned, SFTP uses the SSH protocol to connect to your Server.

As such, the connection and all data is encrypted to prevent any eavesdropping of passwords or sensitive data.

SFTP Client

We can start by looking at an SFTP client.

The 'client' is a program on your local workstation. I won't go into listing all the available SFTP clients but suffice to say that the vast majority of modern FTP clients also support SFTP (keep in mind SFTP does not use the 'typical' FTP protocols and so some older FTP clients may not support SFTP).

You can search for SFTP clients for Windows, OS X, Linux or other Operating Systems.

Due to the vast array of clients available I can't go into how to use each one (they should have plenty of documentation with the software).

However, the preferences/options panel will allow you to enter the SFTP details.

Take a look at this example:

sftp.png

If you have followed the setup articles (see the link above) you will notice the details are the same as those we used to setup SSH.

We have the Server IP, the user named 'fred', and we will be using the standard port 22.

The protocol has been specified as SFTP over SSH2 - this particular client has several options available.

Lastly, you should be able to set the path for the UI. In this case, I want to open the client in my home directory.

Once I have submitted the information, I am connected to the Server:

sftp2.png

Note: In this case I have accessed the Server at the root folder level. As such, you can browse the folders as shown above.

Most clients will allow you to 'double click' on a file and edit it in a local browser.

Jailing Users

At this point you may want to chroot or jail users connecting over SFTP. Jailing a users allows them access to only specific directories and ensures they do not go mucking around with things that could put the system at risk.This section will describe the process to configure this option.

Start by creating a group to which sftp users will belong.

groupadd sftp-users

Now add the group to the user.

usermod -G sftp-users username

Change ownership of the home directory for username to that of root.

chown root:root /home/username

Now, add a subfolder to the user's home directory and give ownership over the directory to username.

mkdir /home/username/ftpdirectory 
chown username:sftp-users /home/username/ftpdirectory

Now open the sshd config file for editing.

vim /etc/ssh/sshd_config

Paste the following block to the bottom of the file

Match group sftp-users
        ChrootDirectory %h
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

Lastly restart the ssh service

service ssh restart

When the user logs in via SFTP they will only have access to the directory created above.

Permissions

Which brings us nicely to permissions.

Do remember that you are using the same details as the SSH user - as such they won't be able to automatically edit files owned by root.

All that would happen is a nice 'permission denied' error if you tried to open or save any changes to a root owned file.

So what to do about the permissions?

Well, to be honest, there isn't a lot you can do about it. The permissions are there for a good reason and are an integral part of Linux and how it is designed.

Neither do I recommend logging in as root - part of the initial SSH setup entailed disabling root logins.

However, beyond the initial setup, there should be little reason to mess around with files owned by root and any changes in configurations would be done from the command line using the 'sudo' command.

The main reason for using SFTP clients is to ease the transfer of files - most of which will be to your ftpdirectory folder which you will have permission to write.

 

Those are just a few of the methods that you can easily use to set up secure file transfers to your Linux Cloud server.  If you are using a Windows Server, you may need still need to use FTP.  The following article shows you how to set up an FTP site in IIS 7.0.  

 



Was this content helpful?




© 2014 Rackspace US, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License


See license specifics and DISCLAIMER