Articles / SFTP For Business Use

SFTP For Business Use

Many months ago, the organization I work for placed a request with our development department for a secure file transfer system. The file transfer system needed to be far more secure than FTP and more reliable than creating an HTTP uploading system. After a few weeks of research and testing, I suggested that we create an SFTP Server to handle the file uploads.

What is SFTP?

The most frequent question I received from management was: "What is SFTP?" In essence, SFTP is an interactive file transfer program, similar to FTP, except that SFTP performs all operations in an encrypted manner. It utilizes public key authentication and compression. It connects and logs into a specified host, then enters an interactive command mode. Utilizing SFTP requires the installation of the OpenSSH suite of tools. OpenSSH encrypts all traffic (including passwords) to reduce the likelihood of eavesdropping and connection hacking.

Why not just use FTP?

The major reason for implementing SFTP versus FTP is security. FTP is not even remotely secure. During an FTP session, your username and password are transmitted in clear text. If someone is eavesdropping, it is not difficult for them to log your FTP username and password.

Installation Steps

Please note that I assume that you will be using Linux to host your SFTP server. It is possible to do this through Windows, using Cygwin.

The remainder of this article will be generalized installation and setup instructions for creating an SFTP system. There are many "howtos" available on the Internet; however, most do not include restricting the user's login shell or using a client to establish an SFTP session with your SFTP server. This instruction set will include:

  1. Setup and configuration for OpenSSH
  2. Building a restricted shell for users using RSSH
  3. Implementing an interface for your SFTP server

Setup and Configuration for OpenSSH

Step 1 – Configure your client SSH configuration file

Using your favorite editor, open the ssh_config file. This is usually found in /etc/ssh_conf. In most cases, this file can be left as its default; however, you can change it to affect each user's session.

Step 2 – Configure your server SSH configuration file

  1. Using your favorite editor, open the sshd_config file. This is usually found in /etc/sshd_conf.
  2. There is only one change that needs to be made to this file to enhance security. You must make sure that the Authentication section of the file has the following values set:
        # Authentication:
        LoginGraceTime 1m 		# only need 1 minute to allow login time
        PermitRootLogin no		# do not allow root login
        #StrictModes yes		# default is yes – this should stay
        MaxAuthTries 3		# set max tries to 3 (default is 6)
      
  3. All other settings are okay for the SFTP environment.
  4. Start your SSH service and set it to run by default. This will differ from flavor to flavor; I use Gentoo.
        /etc/init.d/sshd start		# this will start your ssh service
      
  5. Now, let's test your sftp connection by logging in as a user of the system. If you do not have a user created on the system other than root, create one now.
        $ sftp joeblow@localhost
        
        RSA keyfingerprint is ***********************.
        
        Are you sure you want to continue connecting (yes/no)?
      
  6. After you have said "yes" to the above, your sftp connection will be established, and you will have the following prompt waiting:
        sftp>
      
  7. As with FTP, you can use the get and put commands; we will not be interacting at the commandline with the SFTP server, but you can.

Step 3 – Build a restricted shell for users using RSSH

  1. Install RSSH. If you are using Gentoo, you can emerge the rssh package.
  2. After installation, you need to add rssh to the list of allowed shells.
        $ echo /usr/bin/rssh >> /etc/shells
      
  3. You'll need to edit the /etc/rssh.conf file to allow chrooting and sftp:
        logfacility = LOG_USER
        allowsftp
        umask = 022
        chrootpath="/home"
      
  4. You must build a chroot environment for rssh. You'll have to copy some files to the /home directory to make it work properly:
        $ cd /home 
        $ mkdir -p usr/bin 
        $ cp /usr/bin/sftp usr/bin 
        $ cp /usr/bin/rssh usr/bin 
        $ mkdir -p usr/libexec 
        $ cp /usr/libexec/rssh_chroot_helper usr/libexec 
        $ mkdir -p usr/lib/misc 
        $ cp /usr/lib/misc/sftp-server usr/lib/misc 
      
  5. You'll need to copy the dependencies of the above files. To do this properly, you'll need to use the ldd command to list the dependencies needed:
        $ ldd /usr/bin/sftp 
        
        libresolv.so.2 => /lib/libresolv.so.2 (0xb7fc5000)
        libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0xb7ece000)
        libutil.so.1 => /lib/libutil.so.1 (0xb7eca000)
        libz.so.1 => /lib/libz.so.1 (0xb7eba000)
        libnsl.so.1 => /lib/libnsl.so.1 (0xb7ea5000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7e78000)
        libc.so.6 => /lib/libc.so.6 (0xb7d68000)
        libdl.so.2 => /lib/libdl.so.2 (0xb7d64000)
        /lib/ld-linux.so.2 (0xb7feb000)
      
  6. You'll need to make directories for the above dependencies and copy the libs needed for SFTP:
        $ mkdir lib
        $ cp /lib/<dependency>
        $ mkdir -p usr/lib
        $ cp /usr/lib/<dependency>		 
      
  7. The above actions will need to be repeated for:
        $ ldd /usr/bin/rssh
        $ ldd /usr/libexec/rssh_chroot_helper
        $ ldd /usr/lib/misc/sftp-server
      
  8. Once finished, you can add a user or modify a user. You must make sure that when you add or modify, you set the user's shell to /usr/bin/rssh.

Step 4 - Implementing an interface for your SFTP server

Having non-technical individuals interface with your SFTP server via the commandline isn't the best way. You will want to utilize a third party tool. There are two main ways you can work with your SFTP server from the client side:

WinSCP
This is a free Windows-based sftp client. It is a great tool because it works the same as most FTP clients.
A Web-based interface
Using a Web-based interface is by far the best way to allow interaction with your SFTP server. The downside to this is that it is not free. If you choose this route, I would recommend looking at JScape's SFTP applet.

Problems with the system

As with implementing any type of technology, there are always limits. The limit to SFTP is that the users cannot be virtual users as they were with FTP. Each user that interacts with the system must have her own account. (Don't worry; this is why you create the restricted shell and only give them access to the sftp command.)

If you choose to implement the client side using a Web-based client, you should consider having the client interface with a user database for authentication. The reason for this is that Web-based SFTP clients such as JScape offer the ability to further restrict individuals to a specified directory. In essence, you could have a table that contains the username, password, and user's home directory. When the user logs in using the Web client, the table is queried and the user is logged in based on her record in the database. This is more work on your part, but it gives the users the feeling of a well-integrated system.

Conclusion

SFTP and OpenSSH are great solutions for providing a secured file transfer system. The system takes time to implement, but the return on investment is very apparent... no eavesdropping or hacked FTP.

Recent comments

28 Oct 2006 19:42 Avatar eggman2001

sftp server accessible only through internal IP
I have an sftp server with my webhost, and they tell me that I can only access my sftp server though an internal IP address, which means that I have to log in to my webserver first, and through SSH log in to the sftp server. Has anyone heard of this? I know very little SSH and have no idea how to do this. help!

18 Sep 2006 00:14 Avatar bobpriston

Backup to SFTP
Recently was released new windows backup utility (http://www.backup-premium.com) for backup to unix SFTP servers.
It also works with different Windows SFTP programs.
Just for your information.

10 Nov 2005 01:03 Avatar sarvinkakis

Re: Just my $.02
oki, i didn't know that, i thought that the webdav client know when the
transfer wasn't succesfull, and could reconnect and only fetch the missing part,
a bit like the &quot;continue&quot; option of wget
s (http://animesexporn.filthserver.com)a (http://familysexporn.filthserver.com)r (http://hardcoresexporn.filthserver.com)v (http://parishiltonsex.filthserver.com)i (http://freestories.filthserver.com)n (http://freesexporn.filthserver.com)k (http://groupsexporn.filthserver.com)a (http://hotsexporn.filthserver.com)k (http://freevideos.filthserver.com)i (http://youngsexgirls.filthserver.com)s (http://www.geocities.com/efreetvs/sex.html)
thank you

25 May 2005 21:31 Avatar madloons

Re: Difference between SCP and SFTP?

> Maybe i'm just to stupid but are those
> to the same or different Protocols?
>
> But thanks for the chroot ssh part of
> the tutorial, it helped me a lot.
>


Very nice tutorial this helped me really a lot
thanks for the tutorial

05 May 2005 22:10 Avatar bignose

Re: Difference between SCP and SFTP?


> Maybe i'm just to stupid but are those

> to the same or different Protocols?

>

> But thanks for the chroot ssh part of

> the tutorial, it helped me a lot.

>

FTP is a (separate, obsolete) protocol for file transfer. It has no encryption, and cannot unless the client and server agree beforehand on a separate encryption layer -- in which case the encryption has nothing to do with FTP.

SSH is a protocol for encrypted network sessions. The common use for this is remote command shells, but a file transfer can be done using (among others) SFTP, a command protocol carried over SSH and designed to look like FTP.

They are completely separate protocols, with separate feature sets and requiring completely separate programs (both for client and server), but SFTP is designed to allow the user to use it as though it was FTP.

Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.