Before we start, some basis. SFTP (SSH File Transfer Protocol or Secure File Tranfer Protocol) is, as already said, a file transfer protocol. It uses some of the functions of the SSH protocol to remotely transfer and manage files.
In this post, the first of a little series, I will create an SFTP-only server in a remote server. So, requirements are:
- A list of users with an SFTP only access;
- An account with SSH access;
- For security purpose, I should disable SSH root access.
I personally invite to read all the article before starting writing commands as fast as you can. You cannot know I didn't wrote a mortally wrong command!!
First, I need to install OpenSSH Server. Personally, I prefer to install new packages via apt-get. Here's the code:
apt-get update
apt-get install openssh-server
Once installed, it's time for some configuration. Open /etc/ssh/sshd_config with your favorite command line editor (I use vi).
I won't put all the configuration file here. Let's say that by default you can do the following accesses with your current user:
- Via SSH remotely using password authentication
- Via SFTP remotely using password authentication
Problem is, EVERY user can do BOTH. That's not what I want. So, I started setting the following lines:
PermitEmptyPassword no
PasswordAuthentication no
This way I disable remote access with empty password (at least you have to know my password to break throug!) and I explicitly disable password authentication. If you are working remotely, DO NOT RESTART SSH!!!!! Otherwise, you will be totally unable to access to your server.
Next, I want to allow some users to use only SFTP. In theory, you should have by default the following line:
Subsystem sftp /usr/lib/openssh/sftp-server
I will talk about the option Subsystem in detail in another post. Let's just say that with this command you can recall /usr/lib/openssh/sftp-server (some kind of SFTP-limited shell).
It's time to use a greate piece of the OpenSSH configuration: the Match option. You can use Match to set some option just for some users matching a condition. Remember to put this option at the end of the file. A classic example, and appropriate for our requirements, is:
Match group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
PasswordAuthentication yes
This means that every user trying to connect to our server that belongs to the group sftponly will be:
- blocked to his home directory ( ChrootDirectory %h - I will explain better this feature in another post);
- forced to use the internal SFTP subsystem ( ForceCommand internal-sftp ) ; that means that they will never be able to use SSH command - they could only transfer files;
- unable to forward connection ( AllowTcpForwarding no and X11Forwarding no);
- allowed to connect using username and password ( PasswordAuthentication yes)
With the ForceCommand I have obtained the first goal, a list of users with and SFTP-only access, and with the PasswordAuthentication command I enabled authentication for these users. For completeness, I added ChrootDirectory for it is basic security not to allow SFTP-only users to put, read or get files in/from any directory. I also added AllowTcpForwarding no and X11Forwarding no , just because you find this form all over the internet and it seems to be a security problem. As far as I understood, it's to prevent some risky connection possibility. Here are some explanation:
To reach the second goal, I'm adding another
Match option:
Match group sshuser
PasswordAuthentication yes
X11Forwarding no
AllowTcpForwarding no
I know I said that I needed just one account to remotely access to the server via SSH, but in this way I can scale easily in case I have, let's say, another system administrator to grant access to.
Anyway, save and exit from the file.
Now, let's create groups and users, and restart ssh. In a bash command line:
# sudo groupadd sftponly
# sudo useradd -G sftponly usersftp1
# sudo useradd -G sftponly usersftp2
# sudo usermod -a -G sshuser myuser
# sudo passwd usersftp1
# sudo passwd usersftp2
Et voilĂ ! Some users with SFTP-only access and one user (mine, specifically ;) ) with SSH access, everyone with password authentication. 2 out of 3.
Last passage, disable root access via SSH. Luckily, sshd_config has a simple option to obtain this goal. Reopen /etc/ssh/sshd_config and put this line BEFORE both the Match options (or edit, if already present):
PermitRootLogin no
Please, BE ABSOLUTELY SURE THAT YOU ARE NOT LOGGED IN AS ROOT. If you are, you should logout and login with another one. Maybe myuser, as you are sure can access via SSH. Oh, now that I remember, stop using root. It's for your own sake.
Are you logged in as someone other than root? Possibly with your myuser?
Are you sure?
Ok, now you can restart the service:
# sudo service ssh restart
Some last advices:
Yes, test that everything is working as you expect. Test that you can login with your myuser. Test that you CANNOT login as root. Test that you can access via SFTP with both usersftp1 and usersftp2 users and that you can transfer a file. Test that you CANNOT access via SSH with both users. Test everything you can think of at least once.
Et voilĂ ! Server ready to use! Notice that server is ready to use AFTER I tested everything.
Some last useful references to improve your knowledge:
Labels: bash, ubuntu