Difference between revisions of "SCP and SFTP"

From ArchWiki
Jump to: navigation, search
m (prefer using /var/lib/jail rather than /var/jail)
 
(57 intermediate revisions by 14 users not shown)
Line 1: Line 1:
[[Category:Daemons and system services]]
 
 
[[Category:Secure Shell]]
 
[[Category:Secure Shell]]
== Introduction ==
+
[[Category:File Transfer Protocol]]
 +
[[ja:SCP と SFTP]]
 +
{{Related articles start}}
 +
{{Related|SFTP chroot}}
 +
{{Related|Pure-FTPd}}
 +
{{Related articles end}}
  
SFTP refers to various forms of (more or less) secure file transfer protocols. This article lists two examples and how to set them up.
+
The [[wikipedia:Secure copy|Secure copy (SCP)]] is a protocol to transfer files via a [[Secure Shell]] connection. The [[wikipedia:SSH_file_transfer_protocol|SSH file transfer protocol (SFTP)]] is a related protocol, also relying on a secure shell back-end. Both protocols allow secure file transfers, encrypting passwords and transferred data. The SFTP protocol, however, features additional capabilities like, for example, resuming broken transfers or remote file manipulation like deletion.  
  
== SSH file transfer protocol ==
+
== Secure file transfer protocol (SFTP) ==
  
[http://en.wikipedia.org/wiki/SSH_file_transfer_protocol SSH file transfer protocol] is a FTP-like protocol that allows secure file transfer and manipulation, encrypting both passwords and transferred data.  
+
Install and configure [[OpenSSH]]. Once running, SFTP is available by default.
  
=== Setting up SSH file transfer protocol with OpenSSH ===
+
Access files with the ''sftp'' program or [[SSHFS]]. Many standard FTP programs should work as well.
  
To set up SFTP you only need to install and configure [[SSH#OpenSSH|OpenSSH]]. Once you have this running, SFTP is running too because the default configuration file enables it. Follow the instructions below for older configs.
+
== Secure file transfer protocol (SFTP) with a chroot jail ==
 +
Sysadmins can jail a subset of users to a chroot jail using {{Pkg|openssh}} thus restricting their access to a particular directory tree. This can be useful to simply share some files without granting full system access or shell access.  Users with this type of setup may use SFTP programs such as {{Pkg|filezilla}} to put/get files in the chroot jail.
  
1. Open {{ic|/etc/ssh/sshd_config}} with your favorite editor and add this line:
+
=== Setup the filesystem ===
  Subsystem sftp /usr/lib/ssh/sftp-server
+
Create a jail directory:
2. Restart the SSH-daemon with:
+
  # mkdir -p /var/lib/jail
# rc.d restart sshd
+
  
And it should work. You can access your files with the sftp program or [[sshfs]]. Many standard FTP programs should work as well.
+
{{Note|Readers may select a file access scheme on their own.  For example, optionally create a subdirectory for an incoming (writable) space and/or a read-only space. This need not be done directly under /var/lib/jail ... it can be accomplished on the live partition which will be mounted via a bind mount as well.}}
  
== FTP over SSH ==
+
Bind mount the live filesystem to be shared to this directory.  In this example, /mnt/data/share is to be used.  It is owned by root and has octal permissions of 755.
 +
# mount -o bind /mnt/data/share /var/lib/jail
  
[http://en.wikipedia.org/wiki/FTP_over_SSH#FTP_over_SSH_.28not_SFTP.29 FTP over SSH] encrypts passwords unlike plain FTP. FTP over SSH is not really a true protocol, it is just SSH + FTP or TLS/SSL + FTP . Note that there are many ways to set this up. This is one of them.  
+
{{Tip|Consider adding an entry to {{ic|/etc/fstab}} to make the bind mount survive a reboot.}}
  
This setup in particular (using {{AUR|pure-ftpd}} + TLS) encrypts usernames, passwords, commands and server replies, but does NOT encrypt the data channel. This also means that there is reduced performance cost on data transfer.
+
=== Create an unprivileged user ===
 +
Create the share user and setup a good password:
 +
# useradd -g sshusers -d /var/lib/jail foo
 +
# passwd foo
  
=== Setting up FTP with pure-ftpd ===
+
=== Setup openssh ===
 +
Add the following to the end of {{ic|/etc/ssh/sshd_config}} to enable the share and to enforce the restrictions:
  
Install {{AUR|pure-ftpd}} as directed in [[Arch_User_Repository#Installing_packages|this wiki article]].
+
{{hc|/etc/ssh/sshd_config|<nowiki>
 +
...
  
Then you can go ahead and edit the configuration file:
+
  Match group sshusers
  # vi /etc/pure-ftpd.conf
+
  ChrootDirectory %h
 +
  X11Forwarding no
 +
  AllowTcpForwarding no
 +
  PasswordAuthentication yes
 +
  ForceCommand internal-sftp
 +
</nowiki>}}
  
You can start and stop the {{ic|pure-ftpd}} daemon by
+
[[Restart]] {{ic|sshd.service}} to re-read the config file.
# rc.d start pure-ftpd
+
# rc.d stop pure-ftpd
+
# rc.d restart pure-ftpd
+
  
and you can set it to automatically start by adding it to the daemons list in {{ic|/etc/[[rc.conf]]}}.
+
Test that in fact, the restrictions are enforced by attempting an ssh connection via the shell. The ssh sever should return a polite notice of the setup:
 +
$ ssh foo@someserver.com
 +
foo@someserver.com's password:
 +
This service allows sftp connections only.
 +
Connection to someserver.com closed.
  
=== Set up Certificates ===
+
== Secure copy protocol (SCP) ==  
Refer to [http://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS the documentation] for more information. The short version is this:
+
  
1. Create a Self-Signed Certificate:
+
[[Install]], configure and [[start]] {{Pkg|openssh}}. It contains a ''scp'' command to transfer files. See [[Secure Shell]] for more information.  
# mkdir -p /etc/ssl/private
+
# openssl req -x509 -nodes -newkey rsa:1024 -keyout \
+
  /etc/ssl/private/pure-ftpd.pem \
+
  -out /etc/ssl/private/pure-ftpd.pem
+
2. Make it private:
+
# chmod 600 /etc/ssl/private/*.pem
+
3. Be aware that using 1024 bits in some countries is against the law. Choose 512 or less if unsure.
+
  
=== Enable TLS ===
+
More features are available by installing additional packages, for example {{Aur|rssh}} or {{Pkg|scponly}} described below.  
Towards the bottom of {{ic|/etc/pure-ftpd.conf}} you should find a section for TLS. Uncomment and change the TLS setting to 1 (which enables both FTP and SFTP):
+
TLS            1
+
  
Now restart the pure-ftpd daemon and you should be able to log in with SFTP-enabled clients (e.g. FileZilla, SmartFTP). (Do not forget to use port 22.)
+
=== Scponly ===
 +
 
 +
[https://github.com/scponly/scponly/wiki Scponly] is a limited shell for allowing users scp/sftp access and only scp/sftp access. Additionally, one can setup ''scponly'' to chroot the user into a particular directory increasing the level of security.  
 +
 
 +
[[install]] {{Pkg|scponly}}.  
 +
 
 +
For existing users, simply set the user's shell to scponly:
 +
 
 +
# usermod -s /usr/bin/scponly ''username''
 +
 
 +
==== Adding a chroot jail ====
 +
 
 +
The package comes with a script to create a chroot. To use it:
 +
 
 +
{{bc|# cd /usr/share/doc/scponly/}}
 +
{{bc|# ./setup_chroot.sh}}
 +
* Provide answers
 +
* Check that {{ic|/path/to/chroot}} has {{ic|root:root}} owner and {{ic|r-x}} for others
 +
* Change the shell for selected user to {{ic|/usr/bin/scponlyc}}
 +
* sftp-server may require some libnss modules such as libnss_files. Copy them to chroot's {{ic|/lib}} path.

Latest revision as of 19:05, 3 May 2016

Related articles

The Secure copy (SCP) is a protocol to transfer files via a Secure Shell connection. The SSH file transfer protocol (SFTP) is a related protocol, also relying on a secure shell back-end. Both protocols allow secure file transfers, encrypting passwords and transferred data. The SFTP protocol, however, features additional capabilities like, for example, resuming broken transfers or remote file manipulation like deletion.

Secure file transfer protocol (SFTP)

Install and configure OpenSSH. Once running, SFTP is available by default.

Access files with the sftp program or SSHFS. Many standard FTP programs should work as well.

Secure file transfer protocol (SFTP) with a chroot jail

Sysadmins can jail a subset of users to a chroot jail using openssh thus restricting their access to a particular directory tree. This can be useful to simply share some files without granting full system access or shell access. Users with this type of setup may use SFTP programs such as filezilla to put/get files in the chroot jail.

Setup the filesystem

Create a jail directory:

# mkdir -p /var/lib/jail
Note: Readers may select a file access scheme on their own. For example, optionally create a subdirectory for an incoming (writable) space and/or a read-only space. This need not be done directly under /var/lib/jail ... it can be accomplished on the live partition which will be mounted via a bind mount as well.

Bind mount the live filesystem to be shared to this directory. In this example, /mnt/data/share is to be used. It is owned by root and has octal permissions of 755.

# mount -o bind /mnt/data/share /var/lib/jail
Tip: Consider adding an entry to /etc/fstab to make the bind mount survive a reboot.

Create an unprivileged user

Create the share user and setup a good password:

# useradd -g sshusers -d /var/lib/jail foo
# passwd foo

Setup openssh

Add the following to the end of /etc/ssh/sshd_config to enable the share and to enforce the restrictions:

/etc/ssh/sshd_config
...

 Match group sshusers
  ChrootDirectory %h
  X11Forwarding no
  AllowTcpForwarding no
  PasswordAuthentication yes
  ForceCommand internal-sftp

Restart sshd.service to re-read the config file.

Test that in fact, the restrictions are enforced by attempting an ssh connection via the shell. The ssh sever should return a polite notice of the setup:

$ ssh foo@someserver.com
foo@someserver.com's password:
This service allows sftp connections only.
Connection to someserver.com closed.

Secure copy protocol (SCP)

Install, configure and start openssh. It contains a scp command to transfer files. See Secure Shell for more information.

More features are available by installing additional packages, for example rsshAUR or scponly described below.

Scponly

Scponly is a limited shell for allowing users scp/sftp access and only scp/sftp access. Additionally, one can setup scponly to chroot the user into a particular directory increasing the level of security.

install scponly.

For existing users, simply set the user's shell to scponly:

# usermod -s /usr/bin/scponly username

Adding a chroot jail

The package comes with a script to create a chroot. To use it:

# cd /usr/share/doc/scponly/
# ./setup_chroot.sh
  • Provide answers
  • Check that /path/to/chroot has root:root owner and r-x for others
  • Change the shell for selected user to /usr/bin/scponlyc
  • sftp-server may require some libnss modules such as libnss_files. Copy them to chroot's /lib path.