SFTP is short from SSH FTP. To enable sftp communication you have enable sftp-server on server side.
WHY to use sftp:
Plus side:
- you have ssh encryption and security
- use ssh port
- can exchange ssh keys for authentication
- limited set of commands like FTP use it
- user that connect through sftp is locked to SFTP defined folder
Minus side:
- none(so far)
We start to use sftp when we had demand to make secure file transfer over Internet. In are case security was most import thing and limited access for user that will transfer files to are server.
SERVER SETTINGS:
On RH, Suse, CentOS and Ubuntu sftp is disabled by default. To enable sftp you have to change /etc/ssh/sshd_config file.
Replace following line
Subsystem sftp /usr/libexec/openssh/sftp-server
with
Subsystem sftp internal-sftp -f AUTH -l INFO
This will enable internal sftp-server.
Now you have to configure sftp-server settings. These settings are also configured in /etc/ssh/sshd_config file.
There are numerous settings for sftp-server, we use these:
Match Group usergroup
ChrootDirectory /usergroup/%u
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
PasswordAuthentication no
So these settings will provide following:
Match Group usergroupsftp = applied for users that are in group usergroupsftp
ChrootDirectory /usergroupsftp/%u = chroot users that connect thru sftp to /usergroupsftp/%u directory. Option %u means that they connect to users folder
ForceCommand internal-sftp = use command from internal-sftp server command set
X11Forwarding no = X11 forwarding is disabled
AllowTcpForwarding no = TCP forwarding is disabled so you cannot use sftp connection for tcp forwarding
PasswordAuthentication no = Can not authenticate with password, so with keys you can connect on sftp-server
After you are done with configuring, you have to restart ssh service.
server1# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
USER SETTINGS:
Now create user that will login on your server with sftp.
server1#useradd sftp1
server1#passwd sftp1
passwd sftp1
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
User sftp1 has to be in group that you defined in sshd_config, in are case that is usergroupsftp.
server1#usermod -g usergroupsftp sftp1
server1#id sftp1
uid=505(sftp1) gid=503(usergroupsftp) groups=503(usergroupsftp) context=system_u:system_r:initrc_t
Now go to home folder of user sftp1
server1#cd /home/sftp1
If there are no .ssh folder in here create one
server1#mkdir .ssh
server1#cd .ssh
Now see in /etc/ssh/sshd_config what is name of file in which authorised keys will be in.
server1# cat /etc/ssh/sshd_config |grep Auth
AuthorizedKeysFile .ssh/authorized_keys
FOLDER SETTINGS:
Ok, so now you have to configure chroot folder.
server1#cd /desired_space
server1#mkdir usergroupsftp
server1# ls -la
total 12
drwxr-xr-x 2 root root 4096 Jan 24 17:45 usergroupsftp
Very important thing is that this folder is owned by user root and root group. Why? This is integrated in ssh options and is this folder is used by some other user, sftp will not work.
Create folder with same name as name of user that will used to connect through sftp
server1#mkdir sftp1
server1#ls -la
total 1
drwxr-xr-x 2 root root 4096 Jan 24 17:46 sftp1
This folder also has to be in root ownership.
server1#cd sftp1
server1#pwd
/usergroupsftp/sftp1/
In this space you have to create folder which is owned by user sftp1 and group usergroupsftp
server1# mkdir new_folder
server1#chown sftp1:usergroupsftp new_folder
So files that will be transferred through sftp will be stored in
server1#pwd
/usergroupsftp/sftp1/new_folder
CLIENT SIDE:
On server from witch you want to connect on sftp server, you have to create ssh keys for user that will be exchanged so that he can connect to sftp server. In are example user is user1.
server2#cd /home/user1
server2#keygen -t rsa
server2#ls
id_rsa id_rsa.pub
You have created public part(id_rsa.pub) and private part(id_rsa) of rsa key. Public part of this key you have to insert in /home/sftp1/.ssh/authorized_keys file on server1.
After you inserted public part(id_rsa.pub) of key for user user1 from server2 in /home/sftp1/.ssh/authorized_keys file on server1 you can connect from server2 to server1 as user sftp1 through sftp!
server2#sftp sftp1@server1
And now you are connected to server1 using sftp!!!
To transfer files you have to go in folder that have permission for user sftp1. In case that you don't do this you will have something like this.
It might seems confusing but all this work can be done in less that 5 minutes. Just remember these steps:
-enable sftp-server on server1
-create user that will be used for sftp
-create keys
-insert public keys
-folder settings
During setup I faced few problems myself:
1. # sftp sftp1@server1
Permission denied (publickey).
Couldn't read packet: Connection reset by peer
Public key is not good. You did not insert it right way or if you type it letter by letter you miss some letter.
In case you open id_rsa.pub on Windows before you transferred it on server1, it can happen that Windows change ending of line (rsa key is text line) and Linux will not see that line as finished.
You don't have right to write. Or you did not change ownership of folder /usergroupsftp/sftp1/new_folder or you did not create one.
Check your sshd_configuration and folder ownership.
3. If you see in you logs something like this
sshd[22047]: User sftp1 not allowed because account is locked
and your user are complaining that he can not connect you did not create password for user sftp1.
server1#passwd sftp1
WHY to use sftp:
Plus side:
- you have ssh encryption and security
- use ssh port
- can exchange ssh keys for authentication
- limited set of commands like FTP use it
- user that connect through sftp is locked to SFTP defined folder
Minus side:
- none(so far)
We start to use sftp when we had demand to make secure file transfer over Internet. In are case security was most import thing and limited access for user that will transfer files to are server.
SERVER SETTINGS:
Replace following line
Subsystem sftp /usr/libexec/openssh/sftp-server
with
Subsystem sftp internal-sftp -f AUTH -l INFO
This will enable internal sftp-server.
Now you have to configure sftp-server settings. These settings are also configured in /etc/ssh/sshd_config file.
There are numerous settings for sftp-server, we use these:
Match Group usergroup
ChrootDirectory /usergroup/%u
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
PasswordAuthentication no
So these settings will provide following:
Match Group usergroupsftp = applied for users that are in group usergroupsftp
ChrootDirectory /usergroupsftp/%u = chroot users that connect thru sftp to /usergroupsftp/%u directory. Option %u means that they connect to users folder
ForceCommand internal-sftp = use command from internal-sftp server command set
X11Forwarding no = X11 forwarding is disabled
AllowTcpForwarding no = TCP forwarding is disabled so you cannot use sftp connection for tcp forwarding
PasswordAuthentication no = Can not authenticate with password, so with keys you can connect on sftp-server
After you are done with configuring, you have to restart ssh service.
server1# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
USER SETTINGS:
Now create user that will login on your server with sftp.
server1#useradd sftp1
server1#passwd sftp1
passwd sftp1
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
User sftp1 has to be in group that you defined in sshd_config, in are case that is usergroupsftp.
server1#usermod -g usergroupsftp sftp1
server1#id sftp1
uid=505(sftp1) gid=503(usergroupsftp) groups=503(usergroupsftp) context=system_u:system_r:initrc_t
Now go to home folder of user sftp1
server1#cd /home/sftp1
server1#mkdir .ssh
server1#cd .ssh
Now see in /etc/ssh/sshd_config what is name of file in which authorised keys will be in.
server1# cat /etc/ssh/sshd_config |grep Auth
AuthorizedKeysFile .ssh/authorized_keys
FOLDER SETTINGS:
Ok, so now you have to configure chroot folder.
server1#cd /desired_space
server1#mkdir usergroupsftp
server1# ls -la
total 12
drwxr-xr-x 2 root root 4096 Jan 24 17:45 usergroupsftp
Very important thing is that this folder is owned by user root and root group. Why? This is integrated in ssh options and is this folder is used by some other user, sftp will not work.
Create folder with same name as name of user that will used to connect through sftp
server1#mkdir sftp1
server1#ls -la
total 1
drwxr-xr-x 2 root root 4096 Jan 24 17:46 sftp1
This folder also has to be in root ownership.
server1#cd sftp1
server1#pwd
/usergroupsftp/sftp1/
In this space you have to create folder which is owned by user sftp1 and group usergroupsftp
server1# mkdir new_folder
server1#chown sftp1:usergroupsftp new_folder
So files that will be transferred through sftp will be stored in
server1#pwd
/usergroupsftp/sftp1/new_folder
CLIENT SIDE:
On server from witch you want to connect on sftp server, you have to create ssh keys for user that will be exchanged so that he can connect to sftp server. In are example user is user1.
server2#cd /home/user1
server2#keygen -t rsa
server2#ls
id_rsa id_rsa.pub
You have created public part(id_rsa.pub) and private part(id_rsa) of rsa key. Public part of this key you have to insert in /home/sftp1/.ssh/authorized_keys file on server1.
After you inserted public part(id_rsa.pub) of key for user user1 from server2 in /home/sftp1/.ssh/authorized_keys file on server1 you can connect from server2 to server1 as user sftp1 through sftp!
server2#sftp sftp1@server1
Connected to server1.
sftp>
And now you are connected to server1 using sftp!!!
To transfer files you have to go in folder that have permission for user sftp1. In case that you don't do this you will have something like this.
sftp> put 1.txt
Uploading 1.txt to /1.txt
remote open("/1.txt"): Permission denied
sftp> cd new_folder
sftp> put 1.txt
Uploading 1.txt to /new_folder/1.txt
1.txt
100% 0 0.0KB/s 00:00
sftp> ls
1.txt
It might seems confusing but all this work can be done in less that 5 minutes. Just remember these steps:
-enable sftp-server on server1
-create user that will be used for sftp
-create keys
-insert public keys
-folder settings
During setup I faced few problems myself:
1. # sftp sftp1@server1
Permission denied (publickey).
Couldn't read packet: Connection reset by peer
Public key is not good. You did not insert it right way or if you type it letter by letter you miss some letter.
In case you open id_rsa.pub on Windows before you transferred it on server1, it can happen that Windows change ending of line (rsa key is text line) and Linux will not see that line as finished.
2.sftp> put 1.txt
Uploading 1.txt to /1.txt
remote open("/1.txt"): Permission denied
You don't have right to write. Or you did not change ownership of folder /usergroupsftp/sftp1/new_folder or you did not create one.
Check your sshd_configuration and folder ownership.
3. If you see in you logs something like this
sshd[22047]: User sftp1 not allowed because account is locked
and your user are complaining that he can not connect you did not create password for user sftp1.
server1#passwd sftp1
No comments:
Post a Comment