SFTP For Business Use
What is SFTP?
The most frequent question I received from management was: "What is SFTP?" In essence, SFTP is an interactive file transfer program, similar to FTP, except that SFTP performs all operations in an encrypted manner. It utilizes public key authentication and compression. It connects and logs into a specified host, then enters an interactive command mode. Utilizing SFTP requires the installation of the OpenSSH suite of tools. OpenSSH encrypts all traffic (including passwords) to reduce the likelihood of eavesdropping and connection hacking.
Why not just use FTP?
The major reason for implementing SFTP versus FTP is security. FTP is not even remotely secure. During an FTP session, your username and password are transmitted in clear text. If someone is eavesdropping, it is not difficult for them to log your FTP username and password.
Installation Steps
Please note that I assume that you will be using Linux to host your SFTP server. It is possible to do this through Windows, using Cygwin.
The remainder of this article will be generalized installation and setup instructions for creating an SFTP system. There are many "howtos" available on the Internet; however, most do not include restricting the user's login shell or using a client to establish an SFTP session with your SFTP server. This instruction set will include:
- Setup and configuration for OpenSSH
- Building a restricted shell for users using RSSH
- Implementing an interface for your SFTP server
Setup and Configuration for OpenSSH
Step 1 – Configure your client SSH configuration file
Using your favorite editor, open thessh_config file. This
is usually found in /etc/ssh_conf. In most cases, this
file can be left as its default; however, you can change it to affect
each user's session.
Step 2 – Configure your server SSH configuration file
-
Using your favorite editor, open the sshd_config file. This is
usually found in
/etc/sshd_conf. -
There is only one change that needs to be made to this file to enhance
security. You must make sure that the Authentication section of the
file has the following values set:
# Authentication: LoginGraceTime 1m # only need 1 minute to allow login time PermitRootLogin no # do not allow root login #StrictModes yes # default is yes – this should stay MaxAuthTries 3 # set max tries to 3 (default is 6) - All other settings are okay for the SFTP environment.
- Start your SSH service and set it to run by default. This will
differ from flavor to flavor; I use Gentoo.
/etc/init.d/sshd start # this will start your ssh service -
Now, let's test your sftp connection by logging in as a
user of the system. If you do not have a user created on the system
other than root, create one now.
$ sftp joeblow@localhost RSA keyfingerprint is ***********************. Are you sure you want to continue connecting (yes/no)? -
After you have said "yes" to the above, your sftp connection will be
established, and you will have the following prompt waiting:
sftp> -
As with FTP, you can use the
getandputcommands; we will not be interacting at the commandline with the SFTP server, but you can.
Step 3 – Build a restricted shell for users using RSSH
- Install RSSH. If you are using Gentoo, you can emerge the rssh package.
- After installation, you need to add
rsshto the list of allowed shells.$ echo /usr/bin/rssh >> /etc/shells - You'll need to edit the
/etc/rssh.conffile to allow chrooting and sftp:logfacility = LOG_USER allowsftp umask = 022 chrootpath="/home" -
You must build a chroot environment for rssh. You'll have to copy
some files to the
/homedirectory to make it work properly:$ cd /home $ mkdir -p usr/bin $ cp /usr/bin/sftp usr/bin $ cp /usr/bin/rssh usr/bin $ mkdir -p usr/libexec $ cp /usr/libexec/rssh_chroot_helper usr/libexec $ mkdir -p usr/lib/misc $ cp /usr/lib/misc/sftp-server usr/lib/misc -
You'll need to copy the dependencies of the above files. To do this
properly, you'll need to use the ldd command to list the dependencies
needed:
$ ldd /usr/bin/sftp libresolv.so.2 => /lib/libresolv.so.2 (0xb7fc5000) libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0xb7ece000) libutil.so.1 => /lib/libutil.so.1 (0xb7eca000) libz.so.1 => /lib/libz.so.1 (0xb7eba000) libnsl.so.1 => /lib/libnsl.so.1 (0xb7ea5000) libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7e78000) libc.so.6 => /lib/libc.so.6 (0xb7d68000) libdl.so.2 => /lib/libdl.so.2 (0xb7d64000) /lib/ld-linux.so.2 (0xb7feb000) -
You'll need to make directories for the above dependencies and copy
the libs needed for SFTP:
$ mkdir lib $ cp /lib/<dependency> $ mkdir -p usr/lib $ cp /usr/lib/<dependency> - The above actions will need to be repeated for:
$ ldd /usr/bin/rssh $ ldd /usr/libexec/rssh_chroot_helper $ ldd /usr/lib/misc/sftp-server -
Once finished, you can add a user or modify a user. You must make
sure that when you add or modify, you set the user's shell to
/usr/bin/rssh.
Step 4 - Implementing an interface for your SFTP server
Having non-technical individuals interface with your SFTP server via the commandline isn't the best way. You will want to utilize a third party tool. There are two main ways you can work with your SFTP server from the client side:
- WinSCP
- This is a free Windows-based sftp client. It is a great tool because it works the same as most FTP clients.
- A Web-based interface
- Using a Web-based interface is by far the best way to allow interaction with your SFTP server. The downside to this is that it is not free. If you choose this route, I would recommend looking at JScape's SFTP applet.
Problems with the system
As with implementing any type of technology, there are always limits.
The limit to SFTP is that the users cannot be virtual users as they were
with FTP. Each user that interacts with the system must have her own
account. (Don't worry; this is why you create the restricted shell and
only give them access to the sftp command.)
If you choose to implement the client side using a Web-based client, you should consider having the client interface with a user database for authentication. The reason for this is that Web-based SFTP clients such as JScape offer the ability to further restrict individuals to a specified directory. In essence, you could have a table that contains the username, password, and user's home directory. When the user logs in using the Web client, the table is queried and the user is logged in based on her record in the database. This is more work on your part, but it gives the users the feeling of a well-integrated system.
Conclusion
SFTP and OpenSSH are great solutions for providing a secured file transfer system. The system takes time to implement, but the return on investment is very apparent... no eavesdropping or hacked FTP.
Just my $.02
Wouldn't it make more sense to use a 'standard' protocol like FTPS instead of just tunneling an insecure protocol inside SSH? This would give you also the opportunity to use real certificates! (Hm, but wasn't there a patch for SSH to use 'real' certificates?)
As the subject states: Just my $.02....
webdav over https
Why not using webdav secured by https for file transfer?
You have:
-certificates
-all authentications modules support by apache (kerberos/mysql/etc), restrictions by ip, etc
-no need to use a different port than https
-no need to (restricted) shell access
-the client is in the default install of the 3 majors oses
- there is crypto hardware accelerator
- no need to administer a new service
- and many more.
Re: Just my $.02
sftp is no less secure than ssh is.
Is ssh unsecure?
Re: webdav over https
> Why not using webdav secured by https
> for file transfer?
> You have:
> -certificates
> -all authentications modules support by
> apache (kerberos/mysql/etc),
> restrictions by ip, etc
> -no need to use a different port than
> https
> -no need to (restricted) shell access
> -the client is in the default install of
> the 3 majors oses
> - there is crypto hardware accelerator
> - no need to administer a new service
> - and many more.
-------
Well, the biggest reason I didn't use Webdav in the manner you speak of is because of the user-base of the system. This system supports about 2500 users and we needed to use an intellegent protocol. What I mean by that is if you use SFTP or FTP to transfer files it creates a two-way communication link between client and server. If the client drops connection the server is intellegent enough to say..wait, I just lost connection..and it will retry for up to about 5 minutes. Therefore, if connection drops with the client the file upload session can continue.
Now, if you use HTTP or HTTPS to transmit files it is only a one-way communication. The client sends the file and doesn't care if it makes it or not.
So, for QA purposes we had to choose a protocol that was capable of intellegent communication. If we didn't need to do that...you better bet I would have done it Webdav....much simpler.
Re: Just my $.02
Not sure what you mean by tunneling an insecure protocol inside SSH....SFTP is part of the OpenSSH standard. Along with SSH you have capabilities to use commands such as SCP, SFTP, etc. So....SFTP is very secure because each packet is encrypted and compressed while sending is taking place.
John Norden
FTP over SSL vs. FTP over SSH
What was the reason to use sftp and not ftps? I'm also using sftp and I haven't used FTP over SSL so far.
Re: webdav over https
oki, i didn't know that, i thought that the webdav client know when the transfer wasn't succesfull, and could reconnect and only fetch the missing part, a bit like the "continue" option of wget.
Re: FTP over SSL vs. FTP over SSH
> What was the reason to use sftp and not
> ftps? I'm also using sftp and I haven't
> used FTP over SSL so far.
ftps (ftp with ssl) is possible with most popular unix ftp servers (ie proftpd) but support on the client side is horrible; it's not easy to find proper ftp clients which can do ssl. Especially not for OSX. On Linux I only found a few command line ftp programs which can do ssl.
Ricardo.
Re: FTP over SSL vs. FTP over SSH
That is the exact reason why. Finding client support is not easy, not to mention the client I ended up implementing as JScapes SFTP applet so using SFTP kinda fell in place. Also, another issue I ran into was that the Mac platform wouldn't support JScapes client unless it was OSX 10.3 or higher.
uuuuuugh.. don't tell people WinSCP
its such a huge hunk of junk. Filezilla is a great transfer client and fully supports sftp.
Re: FTP over SSL vs. FTP over SSH
If you are interested, there are two products available from
Glub Tech. One allows for a generic FTP server to support
SSL, Secure FTP Wrapper. The other is a client
that allows for FTPS connections, Secure FTP. Both are
written in Java so the support for multiple platforms are
inherent.
Re: FTP over SSL vs. FTP over SSH
> If you are interested, there are two
> products available from
> Glub Tech. One allows for a generic FTP
> server to support
> SSL, Secure FTP Wrapper. The other is a
> client
> that allows for FTPS connections, Secure
> FTP. Both are
> written in Java so the support for
> multiple platforms are
> inherent.
I tried the client before, but it doesn't work with my proftpd SSL setup. I think this is because it only supports implicit SSL. I have no idea what that is, but that is the other issue with ftp/ssl : it's a really shady standard and hardly documented.
Also, Glubtech stuff isn't opensource, which was a requirement in my project.
Ricardo.
That's the hard way...
Most FTP Servers support FTP over SSL or TLS authentication natively. CoreFTP (Windows) is a good FTP client that can handle SSL and TLS authentication or transfer. The light version is free.
Setting up secure FTP transfers is much easier than this article makes out.
Re: That's the hard way...
> Most FTP Servers support FTP over SSL or
> TLS authentication natively. CoreFTP
> (Windows) is a good FTP client that can
> handle SSL and TLS authentication or
> transfer. The light version is free.
>
> Setting up secure FTP transfers is much
> easier than this article makes out.
You are correct to an extent. Remember, anytime you are in a production environment, the requirements set the tone of the project. Within the requirements was a web-based client interface that the user could use instead of one they had to install.
Nice job
Thanks for posting your tutorial. If only more peeps would consider security when doing transactions. Better yet security in a NON-proprietary way! It's just a matter of time before the virtual sftp user will happen, I'm sure. Good job.
Difference between SCP and SFTP?
Maybe i'm just to stupid but are those to the same or different Protocols?
But thanks for the chroot ssh part of the tutorial, it helped me a lot.
Re: Difference between SCP and SFTP?
> Maybe i'm just to stupid but are those
> to the same or different Protocols?
>
> But thanks for the chroot ssh part of
> the tutorial, it helped me a lot.
>
FTP is a (separate, obsolete) protocol for file transfer. It has no encryption, and cannot unless the client and server agree beforehand on a separate encryption layer -- in which case the encryption has nothing to do with FTP.
SSH is a protocol for encrypted network sessions. The common use for this is remote command shells, but a file transfer can be done using (among others) SFTP, a command protocol carried over SSH and designed to look like FTP.
They are completely separate protocols, with separate feature sets and requiring completely separate programs (both for client and server), but SFTP is designed to allow the user to use it as though it was FTP.
Re: Difference between SCP and SFTP?
> Maybe i'm just to stupid but are those
> to the same or different Protocols?
>
> But thanks for the chroot ssh part of
> the tutorial, it helped me a lot.
>
Very nice tutorial this helped me really a lot
thanks for the tutorial
Re: Just my $.02
oki, i didn't know that, i thought that the webdav client know when the
transfer wasn't succesfull, and could reconnect and only fetch the missing part,
a bit like the "continue" option of wget
s (animesexporn.filthserv... (familysexporn.filthser... (hardcoresexporn.filths... (parishiltonsex.filthse... (freestories.filthserve... (freesexporn.filthserve... (groupsexporn.filthserv... (hotsexporn.filthserver... (freevideos.filthserver... (youngsexgirls.filthser... (www.geocities.com/efre...)
thank you
Backup to SFTP
Recently was released new windows backup utility (www.backup-premium.com) for backup to unix SFTP servers.
It also works with different Windows SFTP programs.
Just for your information.
sftp server accessible only through internal IP
I have an sftp server with my webhost, and they tell me that I can only access my sftp server though an internal IP address, which means that I have to log in to my webserver first, and through SSH log in to the sftp server. Has anyone heard of this? I know very little SSH and have no idea how to do this. help!