OOKB - Olaf's Own Knowledge Base

User Tools

Site Tools

Trace: sftp

Sidebar

Welcome to my Wiki
Elasticsearch
Linux
Opensearch
Sat receiver Octagon SF 8008
Windows
Android: Disable WhatsApp backup
Arduino and ESP32
OpenSSL
Setup Occulus software for multi-user on PC
EasyMesh
Welcome to your new DokuWiki

linux:sftp

Configure a SFTP only user

When somebody needs to transfer files to a server, it is often not desirable that that user has more privileges than minimal required for this task.
Often, this is actually an automated process between two well know servers.
OpenSSH has a built-in SFTP server that can easily be used for this purpose.
The following describes the configuration for an user that can only access the directory created for the purpose, needs a key to authenticate and can only connect from a specific IP address.

The following assumes:

  1. server for the storage is myserver
  2. share is SHARE
  3. domain is myserver (the server itself, it's not in a domain)
  4. SFTP user is remote-sftp
  5. SFTP user's home is /SFTP/remote-sftp/storage

Create a file with the credentials: 

cat > /root/myserver.crd
username=<user_name>
password=<password>
domain=<domain_name_or_server_name>
<ctrl-d>

Create the folder structure 

mkdir /SFTP
mkdir /SFTP/remote-sftp
chown root:root /SFTP
chown root:root /SFTP/remote-sftp
chmod 0711 /SFTP
chmod 0755 /SFTP/remote-sftp

Create a user and a group with the same name, no login shell and set the home directory to the jail-rooted directory Note the reported uid and gid - it is required for mounting the smb share with the right permissions 

useradd --group --system --shell /bin/false -d /SFTP/remote-sftp remote-sftp

Create a mount point in /etc/fstab for a directory for the sftp user pointing to the storage (to ensure the server storage doesn't fill up) In /etc/fstab add 

# //<server>/<share> /<dir>/<where_to_mount> cifs credentials=/root/<file_name_with_credentials>,uid=<uid_user>,gid=<gid_user>,file_mode=0660,dir_mode=0770 0 0
//myserver/SHARE /<dir>/<where_to_mount> cifs credentials=/root/<file_name_with_credentials>,uid=<uid_remote-sftp>,gid=<gid_remote-sftp>,file_mode=0660,dir_mode=0770 0 0

Create the “home” directory for the SFTP user 

# mkdir -p /path/to/remote-sftp-storage/storage
mkdir /SFTP/remote-sftp/storage
# change the owner and file permissions for the user
chown remote-sftp:remote-sftp /SFTP/remote-sftp/storage
# change the file permissions for the user to read and write (no execute)
chmod 0660 /SFTP/remote-sftp/storage

Modify /etc/ssh/sshd_config, add 

# deny access if the ip address is not the expected server
Match User remote-sftp, Address !<ip address>
     PasswordAuthentication no
     PubkeyAuthentication no

# allow key auth if ip address is right
Match User remote-sftp, Address <ip address>
     PasswordAuthentication no
     PubkeyAuthentication yes
     ChrootDirectory /SFTP/remote-sftp
     X11Forwarding no
     AllowTcpForwarding no
     ForceCommand internal-sftp -l VERBOSE -f LOCAL0

Generate the keys with the putty tool ssh-keygen 

# ssh-keygen -t rsa -C "remote-sftp@myserver" -f "<directory>\<file_name_for_the_key>"
ssh-keygen -t rsa -C "remote-sftp@myserver" -f C:\Keystore\id_rsa

On the SFTP server, copy id_rsa.pub to the directory .ssh in the home directory of the user (remote-sftp) Add the public key (id_rsa.pub) to authorized_keys (in .ssh in the homedirectory) 

cd /SFTP/remote-sftp/.ssh
cat id_rsa.pub >> authorized_keys

Give the key (id_rsa) to the SFTP client.

Install a script that moves the content from/ to the SFTP user's directory.

linux/sftp.txt · Last modified: 2023/10/31 11:19 by olaf

Page Tools