Friday, October 29, 2010

Fun With SFTP

Until now I never knew that using FTP can be so easy.
Many of you would have started thinking about the FTP servers till now, but to be more clear here I am talking about SFTP (SSH File Transfer Protocol).

But as Shakespeare said "What's in name, the thing we call rose would smell as sweet with some other name".
And so is true for SFTP, as this provided the usability that I was looking for and that too with minimal configuration with some extra benefits which we will talk about in the last.

And not only that I was able to do this in two different ways.
  • One is like my as colleague Juan Pablo says "It should be a JAIL for the user", so that he cannot move outside the directory.
  • And the other one is like simple ftp which allows you to move around but not able to read or write unless you have permissions.

To know it better I think a use case will be really helpful.
So I will put down the requirement that pushed me to learn about it.
We needed to grant permissions to one directory to a user, with one directory I literally mean that, as we wanted to block him from peeping into other things.
That too with minimal access to system binaries and it should be secure etc etc.

And SFTP was the best suit for the requirement, you will get the answer of how in the next section where I have shown the configurations of both the cases and believe me it couldn't have been simpler.

Lets get into the jail first ;-)
  • Edit /etc/ssh/sshd_config to include this.
Subsystem sftp internal-sftp
Match User sftpuser
ChrootDirectory /var/www/sftpdir (this makes the user stay under one directory)
ForceCommand internal-sftp
  • Create the sftpuser and set it's shell acess to false, so that user is not able to do ssh.
useradd -m -s /bin/false sftpuser
  • Give correct permissions to sftpdir.
chown root:root /var/www/sftpdir
  • For increasing security I changed these also in /etc/ssh/sshd_config:
PasswordAuthentication no
PubkeyAuthentication yes
And I also added my pub key to /home/sftpuser/.ssh/authorized_keys file, but this is optional as this doesn't make any effect on the SFTP working.

For this jail method we are done.

Try connecting:
sftp sftpuser@localhost
Connecting to localhost...
Enter passphrase for key '/home/user/.ssh/id_dsa':

Now lets get back and see the next way (I know most of us will not read this, as first one will work like a charm):
  • Create a user with /usr/lib/openssh/sftp-server as shell and /var/www/sftpdir as home dir.
sudo useradd -s /usr/lib/openssh/sftp-server -d /var/www/sftpdir sftpuser
  • Add this /usr/lib/openssh/sftp-server to /etc/shells file
echo "/usr/lib/openssh/sftp-server" >> /etc/shells
  • For increasing security I changed /etc/ssh/sshd_config and also added my key to /var/www/sftpdir/.ssh/authorized_keys file.
PasswordAuthentication no
PubkeyAuthentication yes
  • Set correct permissions of the sftpdir.
chmod go-w /var/www/sftpdir
chmod 700 /var/www/sftpdir/.ssh
chmod 600 /var/www/sftpdir/.ssh/authorized_keys

And done.

Try connecting:
sftp sftpuser@localhost
Connecting to localhost...
Enter passphrase for key '/home/user/.ssh/id_dsa':

Now about the extra benefits:
  • Easy to configure.
  • Good in Security.
  • Can work with PubkeyAuthentication.
  • No extra installation (as uses SSH).
  • Easy to use SFTP client.
at least these things are enough to pull me towards it.

That's it for taday. Happy SFTPing.

No comments:

Post a Comment