SFTP

SFTP Client

SFTP server example:

sftp user@server

VMware SFTP server example:

sftp -o Port=443 user@sftp2.engx.vmware.com

Batch mode:

# a batchfile of ‘-’ may be used to indicate standard input
sftp -b batchfile user@server

Password Solution

Password Solution: [1]

You have few options other than using public key authentication:

1. Use keychain
2. Use sshpass (less secured but probably that meets your requirement)
3. Use expect (least secured and more coding needed)

If you decide to give sshpass a chance here is a working script snippet to do so:

export SSHPASS=your-password-here
sshpass -e sftp -oBatchMode=no -b - sftp-user@remote-host << !
   cd incoming
   put your-log-file.log
   bye
!

SFTP Server

To provide SFTP access to linux accounts only (no shell access) change user's shell to:

test:x:501:50::/ftp:/usr/libexec/openssh/sftp-server

RedHat:

/usr/libexec/openssh/sftp-server

Ubuntu:

/usr/lib/openssh/sftp-server

chroot SFTP

/etc/passwd:

 testuser:x:501:501:,,,:/:/sbin/nologin

Create group:

groupadd sftpusers

/etc/ssh/sshd_config:

#Subsystem	sftp	/usr/lib/misc/sftp-server
Subsystem   sftp    internal-sftp

# for group with one chroot (my favorite)
Match Group sftpusers
  ChrootDirectory /data/chroot
  ForceCommand internal-sftp

# for group (alternative method)
Match Group sftpusers
  ChrootDirectory /home/%u
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no

# for user (alternative method)
Match User [USER]
  ChrootDirectory /home/%u
  ForceCommand internal-sftp

# if wanting ssh keys to work:
#AuthorizedKeysFile      %h/.ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

Force umask on ssh, add to /etc/pam.d/sshd: [2]

session    optional     pam_umask.so umask=2002

Restart SSH:

service sshd restart  # RHEL
service ssh restart  # Debian

Set root folder permissions (required for chroot)

# To avoid this error: "fatal: bad ownership or modes for chroot directory"
# chown root.root /home/[USER]
# chmod 755 /home/[USER]
chown root.root /data/chroot
chmod 755 /data/chroot

Create a pub directory:

mkdir /data/chroot/pub
chmod 2775 /data/chroot/pub
chown nobody.sftpusers /data/chroot/pub
# chown nobody.nogroup /data/chroot/pub  # match samba

Create user:

adduser [USER]

Set user's home path to '/' and disable shell login:

usermod -d / [USER]
usermod -s /sbin/nologin [USER]

Add user to the sftpusers group:

#usermod -a -G sftpusers,nogroup [USER]
usermod -a -G sftpusers [USER]
usermod -a -G nogroup [USER]  # match samba

References:

• SFTP Server - Gentoo Linux Wiki - http://en.gentoo-wiki.com/wiki/SFTP_Server
• How to setup ssh's umask for all type of connections - Server Fault - http://serverfault.com/questions/228396/how-to-setup-sshs-umask-for-all-type-of-connections

keywords