Sftp server

From gr0x0rd
Jump to navigation Jump to search

References:

https://qiita.com/alokrawat050/items/fcbf86aaf7de34aacba5

https://askubuntu.com/questions/324503/2-sshd-configurations-1-for-internal-and-1-external

Ensure the openssh-server and ssh packages are installed.

Add the desired user account. Configure the password and store it in the vault. 

$ sudo adduser sftp_user

Create the file transfer directory if it is needed. 

$ sudo mkdir -p /var/www/testsite/data

Set the directory permissions for the root folder. 

$ sudo chown root:root /var/www/testsite
$ sudo chmod 755 /var/www/testsite

Set the directory permissions for the data fodler. 

$ sudo chown sftp_user:sftp_user /var/www/testsite/data

Create a second ssh instance. 

$ sudo cp /etc/ssh/sshd_config /etc/ssh/sftp_config
$ sudo cp /lib/systemd/system/ssh.service /lib/systemd/system/sftp.service

Configure the new instance to read the new config file. 

$ sudo nano /lib/systemd/system/sftp.service

Ensure the following configuration: 

ExecStart=/usr/sbin/sshd -D $SSHD_OPTS -f /etc/ssh/sftp_config
...
Alias=sftp.service

Make the necessary changes to the config file. 

$ sudo nano /etc/ssh/sftp_config

Set the port as appropriate. Example for password auth: 

Port <your_port_number>
...
Match User sftp_user
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/www/testsite
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

Example for shared key auth: 

Port <your_port_number>
...
Match User sftp_user
ForceCommand internal-sftp
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
ChrootDirectory /var/www/testsite
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

Enable and start the service. 

$ sudo systemctl enable sftp.service
$ sudo systemctl start sftp.service

Optional: use telnet to confirm the service is now running on the desired port. 

$ sudo nano /etc/csf/csf.conf

Ensure that the port you have added for the service and configured above are present in the TCP_IN/TCP_OUT sections of the file. When done restart the firewall 

$ sudo systemctl restart csf
$ sudo csf -r
$ sudo systemctl restart lfd



Use the Ssh_keypair_setup documentation to set up a keypair for the sftp_user account. Make sure the user account is the owner of the .ssh folder and its perms are set to 700. Also make sure the account is the owner of the authorized_keys file, and the perms are set to 600.

Retrieved from "http:///index.php?title=Sftp_server&oldid=1231"