SFTP
SFTP Client
SFTP server example:
sftp user@server
VMware SFTP server example:
sftp -o Port=443 user@sftp2.engx.vmware.com
Batch mode:
# a batchfile of ‘-’ may be used to indicate standard input sftp -b batchfile user@server
Password Solution
Password Solution: [1]
You have few options other than using public key authentication:
- Use keychain
- Use sshpass (less secured but probably that meets your requirement)
- Use expect (least secured and more coding needed)
If you decide to give sshpass a chance here is a working script snippet to do so:
export SSHPASS=your-password-here sshpass -e sftp -oBatchMode=no -b - sftp-user@remote-host << ! cd incoming put your-log-file.log bye !
SFTP Server
To provide SFTP access to linux accounts only (no shell access) change user's shell to:
test:x:501:50::/ftp:/usr/libexec/openssh/sftp-server
RedHat:
/usr/libexec/openssh/sftp-server
Ubuntu:
/usr/lib/openssh/sftp-server
chroot SFTP
/etc/passwd:
testuser:x:501:501:,,,:/:/sbin/nologin
Create group:
groupadd sftpusers
/etc/ssh/sshd_config:
#Subsystem sftp /usr/lib/misc/sftp-server Subsystem sftp internal-sftp
# for group with one chroot (my favorite) Match Group sftpusers ChrootDirectory /data/chroot ForceCommand internal-sftp
# for group (alternative method) Match Group sftpusers ChrootDirectory /home/%u ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no
# for user (alternative method) Match User [USER] ChrootDirectory /home/%u ForceCommand internal-sftp
# if wanting ssh keys to work: #AuthorizedKeysFile %h/.ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys
Force umask on ssh, add to /etc/pam.d/sshd: [2]
session optional pam_umask.so umask=2002
Restart SSH:
service sshd restart # RHEL service ssh restart # Debian
Set root folder permissions (required for chroot)
# To avoid this error: "fatal: bad ownership or modes for chroot directory" # chown root.root /home/[USER] # chmod 755 /home/[USER] chown root.root /data/chroot chmod 755 /data/chroot
Create a pub directory:
mkdir /data/chroot/pub chmod 2775 /data/chroot/pub chown nobody.sftpusers /data/chroot/pub # chown nobody.nogroup /data/chroot/pub # match samba
Create user:
adduser [USER]
Set user's home path to '/' and disable shell login:
usermod -d / [USER] usermod -s /sbin/nologin [USER]
Add user to the sftpusers group:
#usermod -a -G sftpusers,nogroup [USER] usermod -a -G sftpusers [USER] usermod -a -G nogroup [USER] # match samba
References:
- SFTP Server - Gentoo Linux Wiki - http://en.gentoo-wiki.com/wiki/SFTP_Server
- How to setup ssh's umask for all type of connections - Server Fault - http://serverfault.com/questions/228396/how-to-setup-sshs-umask-for-all-type-of-connections