The most frequent question I received from management was: "What is SFTP?" In essence, SFTP is an interactive file transfer program, similar to FTP, except that SFTP performs all operations in an encrypted manner. It utilizes public key authentication and compression. It connects and logs into a specified host, then enters an interactive command mode. Utilizing SFTP requires the installation of the OpenSSH suite of tools. OpenSSH encrypts all traffic (including passwords) to reduce the likelihood of eavesdropping and connection hacking.
The major reason for implementing SFTP versus FTP is security. FTP is not even remotely secure. During an FTP session, your username and password are transmitted in clear text. If someone is eavesdropping, it is not difficult for them to log your FTP username and password.
Please note that I assume that you will be using Linux to host your SFTP server. It is possible to do this through Windows, using Cygwin.
The remainder of this article will be generalized installation and setup instructions for creating an SFTP system. There are many "howtos" available on the Internet; however, most do not include restricting the user's login shell or using a client to establish an SFTP session with your SFTP server. This instruction set will include:
ssh_configfile. This is usually found in
/etc/ssh_conf. In most cases, this file can be left as its default; however, you can change it to affect each user's session.
# Authentication: LoginGraceTime 1m # only need 1 minute to allow login time PermitRootLogin no # do not allow root login #StrictModes yes # default is yes – this should stay MaxAuthTries 3 # set max tries to 3 (default is 6)
/etc/init.d/sshd start # this will start your ssh service
$ sftp joeblow@localhost RSA keyfingerprint is ***********************. Are you sure you want to continue connecting (yes/no)?
putcommands; we will not be interacting at the commandline with the SFTP server, but you can.
rsshto the list of allowed shells.
$ echo /usr/bin/rssh >> /etc/shells
/etc/rssh.conffile to allow chrooting and sftp:
logfacility = LOG_USER allowsftp umask = 022 chrootpath="/home"
/homedirectory to make it work properly:
$ cd /home $ mkdir -p usr/bin $ cp /usr/bin/sftp usr/bin $ cp /usr/bin/rssh usr/bin $ mkdir -p usr/libexec $ cp /usr/libexec/rssh_chroot_helper usr/libexec $ mkdir -p usr/lib/misc $ cp /usr/lib/misc/sftp-server usr/lib/misc
$ ldd /usr/bin/sftp libresolv.so.2 => /lib/libresolv.so.2 (0xb7fc5000) libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0xb7ece000) libutil.so.1 => /lib/libutil.so.1 (0xb7eca000) libz.so.1 => /lib/libz.so.1 (0xb7eba000) libnsl.so.1 => /lib/libnsl.so.1 (0xb7ea5000) libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7e78000) libc.so.6 => /lib/libc.so.6 (0xb7d68000) libdl.so.2 => /lib/libdl.so.2 (0xb7d64000) /lib/ld-linux.so.2 (0xb7feb000)
$ mkdir lib $ cp /lib/<dependency> $ mkdir -p usr/lib $ cp /usr/lib/<dependency>
$ ldd /usr/bin/rssh $ ldd /usr/libexec/rssh_chroot_helper $ ldd /usr/lib/misc/sftp-server
Having non-technical individuals interface with your SFTP server via the commandline isn't the best way. You will want to utilize a third party tool. There are two main ways you can work with your SFTP server from the client side:
As with implementing any type of technology, there are always limits.
The limit to SFTP is that the users cannot be virtual users as they were
with FTP. Each user that interacts with the system must have her own
account. (Don't worry; this is why you create the restricted shell and
only give them access to the
If you choose to implement the client side using a Web-based client, you should consider having the client interface with a user database for authentication. The reason for this is that Web-based SFTP clients such as JScape offer the ability to further restrict individuals to a specified directory. In essence, you could have a table that contains the username, password, and user's home directory. When the user logs in using the Web client, the table is queried and the user is logged in based on her record in the database. This is more work on your part, but it gives the users the feeling of a well-integrated system.
SFTP and OpenSSH are great solutions for providing a secured file transfer system. The system takes time to implement, but the return on investment is very apparent... no eavesdropping or hacked FTP.