Difference between revisions of "SCP and SFTP"

From ArchWiki
Jump to navigation Jump to search
Line 39: Line 39:
  # mkdir -p /etc/ssl/private
  # mkdir -p /etc/ssl/private
  # openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
  # openssl req -x509 -nodes -days 7300 -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Make it private:
Make it private:

Revision as of 13:16, 12 February 2015

SFTP refers to various forms of (more or less) secure file transfer protocols. This article lists two examples and how to set them up.

SSH file transfer protocol

SSH file transfer protocol is a FTP-like protocol that allows secure file transfer and manipulation, encrypting both passwords and transferred data.

Setting up SSH file transfer protocol with OpenSSH

To set up SFTP you only need to install and configure OpenSSH. Once you have this running, SFTP is running too because the default configuration file enables it. Follow the instructions below for older configs.

Open /etc/ssh/sshd_config with your favorite editor and add this line if it does not already exist:

Subsystem sftp /usr/lib/ssh/sftp-server

Restart the sshd.service daemon.

And it should work. You can access your files with the sftp program or sshfs. Many standard FTP programs should work as well.

FTP over SSH

FTP over SSH encrypts passwords unlike plain FTP. FTP over SSH is not really a true protocol, it is just SSH + FTP or TLS/SSL + FTP . Note that there are many ways to set this up. This is one of them.

This setup in particular (using pure-ftpdAUR + TLS) encrypts usernames, passwords, commands and server replies, but does NOT encrypt the data channel. This also means that there is reduced performance cost on data transfer.

Setting up FTP with pure-ftpd

Install pure-ftpdAUR from AUR.

The configuration file is /etc/pure-ftpd.conf.

Start/Enable the pure-ftpd.service daemon.

Set up Certificates

Refer to the documentation for more information. The short version is this:

Create a Self-Signed Certificate:

# mkdir -p /etc/ssl/private
# openssl req -x509 -nodes -days 7300 -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Make it private:

# chmod 600 /etc/ssl/private/*.pem
Warning: Be aware that using 1024 bits in some countries is against the law. Choose 512 or less if unsure.

Enable TLS

Towards the bottom of /etc/pure-ftpd.conf you should find a section for TLS. Uncomment and change the TLS setting to 1 to enable both FTP and SFTP:

TLS             1

Now restart the pure-ftpd.service daemon and you should be able to log in with SFTP-enabled clients, e.g. FileZilla or SmartFTP.

See also