Difference between revisions of "SCP and SFTP"

From ArchWiki
Jump to: navigation, search
(Added howto for setting up sftp with OpenSSH daemon.)
(Change to systemd)
(15 intermediate revisions by 10 users not shown)
Line 1: Line 1:
[[Category:HOWTOs (English)]]
+
[[Category:Secure Shell]]
[[Category:Daemons_and_system_services (English)]]
+
 
+
= Introduction =
+
 
+
 
SFTP refers to various forms of (more or less) secure file transfer protocols. This article lists two examples and how to set them up.
 
SFTP refers to various forms of (more or less) secure file transfer protocols. This article lists two examples and how to set them up.
  
= SSH file transfer protocol =
+
== SSH file transfer protocol ==
  
[http://en.wikipedia.org/wiki/SSH_file_transfer_protocol SSH file transfer protocol] is a FTP-like protocol that allows secure file transfer and manipulation, encrypting both passwords and transfered data.  
+
[http://en.wikipedia.org/wiki/SSH_file_transfer_protocol SSH file transfer protocol] is a FTP-like protocol that allows secure file transfer and manipulation, encrypting both passwords and transferred data.  
  
== Setting up SSH file transfer protocol with OpenSSH ==
+
=== Setting up SSH file transfer protocol with OpenSSH ===
  
Before setting up SFTP you should install and configure [[SSH#OpenSSH|OpenSSH]]. Once you have this running SFTP is very easy to set up.
+
To set up SFTP you only need to install and configure [[SSH#OpenSSH|OpenSSH]]. Once you have this running, SFTP is running too because the default configuration file enables it. Follow the instructions below for older configs.
  
1. Open /etc/ssh/sshd_config with your favorite editor and add this line:
+
1. Open {{ic|/etc/ssh/sshd_config}} with your favorite editor and add this line:
 
  Subsystem sftp /usr/lib/ssh/sftp-server
 
  Subsystem sftp /usr/lib/ssh/sftp-server
 
2. Restart the SSH-daemon with:
 
2. Restart the SSH-daemon with:
  # /etc/rc.d/sshd restart
+
  # systemctl restart sshd.service
 +
 
 +
And it should work. You can access your files with the sftp program or [[sshfs]]. Many standard FTP programs should work as well.
  
And it should work. You can access your files with the sftp program or [[sshfs]]. Many standard ftp programs should work as well.
+
== FTP over SSH ==
  
= FTP over SSH =
+
[http://en.wikipedia.org/wiki/FTP_over_SSH#FTP_over_SSH_.28not_SFTP.29 FTP over SSH] encrypts passwords unlike plain FTP. FTP over SSH is not really a true protocol, it is just SSH + FTP or TLS/SSL + FTP . Note that there are many ways to set this up. This is one of them.
  
[http://en.wikipedia.org/wiki/FTP_over_SSH#FTP_over_SSH_.28not_SFTP.29 FTP over SSH] encrypts passwords unlike plain FTP. FTP over SSH is not really a true protocol, its just SSH + FTP or TLS/SSL + FTP . Note that there are many ways to set this up. This is one of them.  
+
This setup in particular (using {{AUR|pure-ftpd}} + TLS) encrypts usernames, passwords, commands and server replies, but does NOT encrypt the data channel. This also means that there is reduced performance cost on data transfer.  
  
This setup in particular (using pure-ftpd + TLS) encrypts usernames, passwords, commands and server replies, but does NOT encrypt the data channel. This also means that that there is reduced performance cost on data transfer.
+
=== Setting up FTP with pure-ftpd ===
  
== Setting up FTP with pure-ftpd ==
+
Install {{AUR|pure-ftpd}} as directed in [[Arch_User_Repository#Installing_packages|this wiki article]].
We will use pure-ftpd:
+
# pacman -Sy pure-ftpd openssh openssl
+
  
 
Then you can go ahead and edit the configuration file:
 
Then you can go ahead and edit the configuration file:
 
  # vi /etc/pure-ftpd.conf
 
  # vi /etc/pure-ftpd.conf
  
You can start and stop the pure-ftpd daemon by
+
You can start and stop the {{ic|pure-ftpd}} daemon by
  # /etc/rc.d/pure-ftpd start
+
  # rc.d start pure-ftpd
  # /etc/rc.d/pure-ftpd stop
+
  # rc.d stop pure-ftpd
  # /etc/rc.d/pure-ftpd restart
+
  # rc.d restart pure-ftpd
  
and you can set it to automatically start by adding it to the daemons list in /etc/[[rc.conf]].
+
and you can set it to automatically start by adding it to the daemons list in {{ic|/etc/[[rc.conf]]}}.
  
== Set up Certicificates ==
+
=== Set up Certificates ===
Refer to http://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS for more information. The short version is this:
+
Refer to [http://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS the documentation] for more information. The short version is this:
  
 
1. Create a Self-Signed Certificate:
 
1. Create a Self-Signed Certificate:
Line 51: Line 47:
 
2. Make it private:
 
2. Make it private:
 
  # chmod 600 /etc/ssl/private/*.pem
 
  # chmod 600 /etc/ssl/private/*.pem
3. Be aware that using 1024 bits in some countries will get you the legal banhammer. Choose 512 or less if unsure.
+
3. Be aware that using 1024 bits in some countries is against the law. Choose 512 or less if unsure.
  
== Enable TLS ==
+
=== Enable TLS ===
Towards the bottom of /etc/pure-ftpd.conf you should find a section for TLS. Uncomment and change the TLS setting to 1 (which enables both FTP and SFTP):
+
Towards the bottom of {{ic|/etc/pure-ftpd.conf}} you should find a section for TLS. Uncomment and change the TLS setting to 1 (which enables both FTP and SFTP):
 
  TLS            1
 
  TLS            1
  
Now restart the pure-ftpd daemon and you should be able to login with sftp-enabled clients (e.g. FileZilla, SmartFTP). (Dont forget to use port 22.)
+
Now restart the pure-ftpd daemon and you should be able to log in with SFTP-enabled clients (e.g. FileZilla, SmartFTP). (Do not forget to use port 22.)

Revision as of 19:59, 20 January 2013

SFTP refers to various forms of (more or less) secure file transfer protocols. This article lists two examples and how to set them up.

SSH file transfer protocol

SSH file transfer protocol is a FTP-like protocol that allows secure file transfer and manipulation, encrypting both passwords and transferred data.

Setting up SSH file transfer protocol with OpenSSH

To set up SFTP you only need to install and configure OpenSSH. Once you have this running, SFTP is running too because the default configuration file enables it. Follow the instructions below for older configs.

1. Open /etc/ssh/sshd_config with your favorite editor and add this line:

Subsystem sftp /usr/lib/ssh/sftp-server

2. Restart the SSH-daemon with:

# systemctl restart sshd.service

And it should work. You can access your files with the sftp program or sshfs. Many standard FTP programs should work as well.

FTP over SSH

FTP over SSH encrypts passwords unlike plain FTP. FTP over SSH is not really a true protocol, it is just SSH + FTP or TLS/SSL + FTP . Note that there are many ways to set this up. This is one of them.

This setup in particular (using pure-ftpdAUR + TLS) encrypts usernames, passwords, commands and server replies, but does NOT encrypt the data channel. This also means that there is reduced performance cost on data transfer.

Setting up FTP with pure-ftpd

Install pure-ftpdAUR as directed in this wiki article.

Then you can go ahead and edit the configuration file:

# vi /etc/pure-ftpd.conf

You can start and stop the pure-ftpd daemon by

# rc.d start pure-ftpd
# rc.d stop pure-ftpd
# rc.d restart pure-ftpd

and you can set it to automatically start by adding it to the daemons list in /etc/rc.conf.

Set up Certificates

Refer to the documentation for more information. The short version is this:

1. Create a Self-Signed Certificate:

# mkdir -p /etc/ssl/private
# openssl req -x509 -nodes -newkey rsa:1024 -keyout \
 /etc/ssl/private/pure-ftpd.pem \
 -out /etc/ssl/private/pure-ftpd.pem

2. Make it private:

# chmod 600 /etc/ssl/private/*.pem

3. Be aware that using 1024 bits in some countries is against the law. Choose 512 or less if unsure.

Enable TLS

Towards the bottom of /etc/pure-ftpd.conf you should find a section for TLS. Uncomment and change the TLS setting to 1 (which enables both FTP and SFTP):

TLS             1

Now restart the pure-ftpd daemon and you should be able to log in with SFTP-enabled clients (e.g. FileZilla, SmartFTP). (Do not forget to use port 22.)