Difference between revisions of "SCP and SFTP"

From ArchWiki
Jump to: navigation, search
(Change to systemd)
m (Secure file transfer protocol (SFTP) with a chroot jail: rewording)
 
(52 intermediate revisions by 11 users not shown)
Line 1: Line 1:
 
[[Category:Secure Shell]]
 
[[Category:Secure Shell]]
SFTP refers to various forms of (more or less) secure file transfer protocols. This article lists two examples and how to set them up.
+
[[Category:File Transfer Protocol]]
 +
[[ja:SCP と SFTP]]
 +
{{Related articles start}}
 +
{{Related|SFTP chroot}}
 +
{{Related|Pure-FTPd}}
 +
{{Related articles end}}
  
== SSH file transfer protocol ==
+
The [[wikipedia:Secure copy|Secure copy (SCP)]] is a protocol to transfer files via a [[Secure Shell]] connection. The [[wikipedia:SSH_file_transfer_protocol|SSH file transfer protocol (SFTP)]] is a related protocol, also relying on a secure shell back-end. Both protocols allow secure file transfers, encrypting passwords and transferred data. The SFTP protocol, however, features additional capabilities like, for example, resuming broken transfers or remote file manipulation like deletion.
  
[http://en.wikipedia.org/wiki/SSH_file_transfer_protocol SSH file transfer protocol] is a FTP-like protocol that allows secure file transfer and manipulation, encrypting both passwords and transferred data.
+
== Secure file transfer protocol (SFTP) ==
  
=== Setting up SSH file transfer protocol with OpenSSH ===
+
Install and configure [[OpenSSH]]. Once running, SFTP is available by default.
  
To set up SFTP you only need to install and configure [[SSH#OpenSSH|OpenSSH]]. Once you have this running, SFTP is running too because the default configuration file enables it. Follow the instructions below for older configs.
+
Access files with the ''sftp'' program or [[SSHFS]]. Many standard FTP programs should work as well.
  
1. Open {{ic|/etc/ssh/sshd_config}} with your favorite editor and add this line:
+
== Secure file transfer protocol (SFTP) with a chroot jail ==
Subsystem sftp /usr/lib/ssh/sftp-server
+
Sysadmins can jail a subset of users to a chroot jail using {{Pkg|openssh}} thus restricting their access to a particular directory tree.  This can be useful to simply share some files without granting full system access or shell access.  Users with this type of setup may use SFTP programs such as {{Pkg|filezilla}} to put/get files in the chroot jail.
2. Restart the SSH-daemon with:
+
# systemctl restart sshd.service
+
  
And it should work. You can access your files with the sftp program or [[sshfs]]. Many standard FTP programs should work as well.
+
=== Setup the filesystem ===
 +
Create a jail directory:
 +
# mkdir -p /var/jail
  
== FTP over SSH ==
+
{{Note|Readers may select a file access scheme on their own.  For example, optionally create a subdirectory for an incoming (writable) space and/or a read-only space.  This need not be done directly under /var/jail ... it can be accomplished on the live partition which will be mounted via a bind mount as well.}}
  
[http://en.wikipedia.org/wiki/FTP_over_SSH#FTP_over_SSH_.28not_SFTP.29 FTP over SSH] encrypts passwords unlike plain FTP. FTP over SSH is not really a true protocol, it is just SSH + FTP or TLS/SSL + FTP . Note that there are many ways to set this up. This is one of them.  
+
Bind mount the live filesystem to be shared to this directory. In this example, /mnt/data/share is to be used. It is owned by root and has octal permissions of 755.
 +
# mount -o bind /mnt/data/share /var/jail
  
This setup in particular (using {{AUR|pure-ftpd}} + TLS) encrypts usernames, passwords, commands and server replies, but does NOT encrypt the data channel. This also means that there is reduced performance cost on data transfer.  
+
{{Tip|Consider adding an entry to {{ic|/etc/fstab}} to make the bind mount survive a reboot.}}
  
=== Setting up FTP with pure-ftpd ===
+
=== Create an unprivileged user ===
 +
Create the share user and setup a good password:
 +
# useradd -g sshusers -s /var/jail foo
 +
# passwd foo
  
Install {{AUR|pure-ftpd}} as directed in [[Arch_User_Repository#Installing_packages|this wiki article]].
+
=== Setup openssh ===
 +
Add the following to the end of {{ic|/etc/ssh/sshd_config}} to enable the share and to enforce the restrictions:
  
Then you can go ahead and edit the configuration file:
+
{{hc|/etc/ssh/sshd_config|<nowiki>
# vi /etc/pure-ftpd.conf
+
...
  
You can start and stop the {{ic|pure-ftpd}} daemon by
+
  Match group sshusers
  # rc.d start pure-ftpd
+
  ChrootDirectory %h
# rc.d stop pure-ftpd
+
  X11Forwarding no
# rc.d restart pure-ftpd
+
  AllowTcpForwarding no
 +
  PasswordAuthentication yes
 +
  ForceCommand internal-sftp
 +
</nowiki>}}
  
and you can set it to automatically start by adding it to the daemons list in {{ic|/etc/[[rc.conf]]}}.
+
[[Restart]] {{ic|sshd.service}} to re-read the config file.
  
=== Set up Certificates ===
+
Test that in fact, the restrictions are enforced by attempting an ssh connection via the shell. The ssh sever should return a polite notice of the setup:
Refer to [http://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS the documentation] for more information. The short version is this:
+
$ ssh foo@someserver.com
 +
foo@someserver.com's password:
 +
This service allows sftp connections only.
 +
Connection to someserver.com closed.
  
1. Create a Self-Signed Certificate:
+
== Secure copy protocol (SCP) ==
# mkdir -p /etc/ssl/private
+
# openssl req -x509 -nodes -newkey rsa:1024 -keyout \
+
  /etc/ssl/private/pure-ftpd.pem \
+
  -out /etc/ssl/private/pure-ftpd.pem
+
2. Make it private:
+
# chmod 600 /etc/ssl/private/*.pem
+
3. Be aware that using 1024 bits in some countries is against the law. Choose 512 or less if unsure.
+
  
=== Enable TLS ===
+
[[Install]], configure and [[start]] {{Pkg|openssh}}. It contains a ''scp'' command to transfer files. See [[Secure Shell]] for more information.  
Towards the bottom of {{ic|/etc/pure-ftpd.conf}} you should find a section for TLS. Uncomment and change the TLS setting to 1 (which enables both FTP and SFTP):
+
TLS            1
+
  
Now restart the pure-ftpd daemon and you should be able to log in with SFTP-enabled clients (e.g. FileZilla, SmartFTP). (Do not forget to use port 22.)
+
More features are available by installing additional packages, for example {{Aur|rssh}} or {{Pkg|scponly}} described below.
 +
 
 +
=== Scponly ===
 +
 
 +
[https://github.com/scponly/scponly/wiki Scponly] is a limited shell for allowing users scp/sftp access and only scp/sftp access. Additionally, one can setup ''scponly'' to chroot the user into a particular directory increasing the level of security.  
 +
 
 +
[[install]] {{Pkg|scponly}}.  
 +
 
 +
For existing users, simply set the user's shell to scponly:
 +
 
 +
# usermod -s /usr/bin/scponly ''username''
 +
 
 +
==== Adding a chroot jail ====
 +
 
 +
The package comes with a script to create a chroot. To use it:
 +
 
 +
{{bc|# cd /usr/share/doc/scponly/}}
 +
{{bc|# ./setup_chroot.sh}}
 +
* Provide answers
 +
* Check that {{ic|/path/to/chroot}} has {{ic|root:root}} owner and {{ic|r-x}} for others
 +
* Change the shell for selected user to {{ic|/usr/bin/scponlyc}}
 +
* sftp-server may require some libnss modules such as libnss_files. Copy them to chroot's {{ic|/lib}} path.

Latest revision as of 22:57, 24 April 2016

Related articles

The Secure copy (SCP) is a protocol to transfer files via a Secure Shell connection. The SSH file transfer protocol (SFTP) is a related protocol, also relying on a secure shell back-end. Both protocols allow secure file transfers, encrypting passwords and transferred data. The SFTP protocol, however, features additional capabilities like, for example, resuming broken transfers or remote file manipulation like deletion.

Secure file transfer protocol (SFTP)

Install and configure OpenSSH. Once running, SFTP is available by default.

Access files with the sftp program or SSHFS. Many standard FTP programs should work as well.

Secure file transfer protocol (SFTP) with a chroot jail

Sysadmins can jail a subset of users to a chroot jail using openssh thus restricting their access to a particular directory tree. This can be useful to simply share some files without granting full system access or shell access. Users with this type of setup may use SFTP programs such as filezilla to put/get files in the chroot jail.

Setup the filesystem

Create a jail directory:

# mkdir -p /var/jail
Note: Readers may select a file access scheme on their own. For example, optionally create a subdirectory for an incoming (writable) space and/or a read-only space. This need not be done directly under /var/jail ... it can be accomplished on the live partition which will be mounted via a bind mount as well.

Bind mount the live filesystem to be shared to this directory. In this example, /mnt/data/share is to be used. It is owned by root and has octal permissions of 755.

# mount -o bind /mnt/data/share /var/jail
Tip: Consider adding an entry to /etc/fstab to make the bind mount survive a reboot.

Create an unprivileged user

Create the share user and setup a good password:

# useradd -g sshusers -s /var/jail foo
# passwd foo

Setup openssh

Add the following to the end of /etc/ssh/sshd_config to enable the share and to enforce the restrictions:

/etc/ssh/sshd_config
...

 Match group sshusers
  ChrootDirectory %h
  X11Forwarding no
  AllowTcpForwarding no
  PasswordAuthentication yes
  ForceCommand internal-sftp

Restart sshd.service to re-read the config file.

Test that in fact, the restrictions are enforced by attempting an ssh connection via the shell. The ssh sever should return a polite notice of the setup:

$ ssh foo@someserver.com
foo@someserver.com's password:
This service allows sftp connections only.
Connection to someserver.com closed.

Secure copy protocol (SCP)

Install, configure and start openssh. It contains a scp command to transfer files. See Secure Shell for more information.

More features are available by installing additional packages, for example rsshAUR or scponly described below.

Scponly

Scponly is a limited shell for allowing users scp/sftp access and only scp/sftp access. Additionally, one can setup scponly to chroot the user into a particular directory increasing the level of security.

install scponly.

For existing users, simply set the user's shell to scponly:

# usermod -s /usr/bin/scponly username

Adding a chroot jail

The package comes with a script to create a chroot. To use it:

# cd /usr/share/doc/scponly/
# ./setup_chroot.sh
  • Provide answers
  • Check that /path/to/chroot has root:root owner and r-x for others
  • Change the shell for selected user to /usr/bin/scponlyc
  • sftp-server may require some libnss modules such as libnss_files. Copy them to chroot's /lib path.