SFTP between guest virtual machine and its host

Question

The System

I am using Windows 7 host with Cygwin and a virtual machine running Linux. The actual running guest is an Arch Linux ISO.

The Objective

I want to share files between the Cygwin host and the Arch guest.

Possible Solution

A good solution seems the SFTP protocol, using the Cygwin host as the server, because SSH is available out of the box in Arch and it is easy to configure an SSHD deamon in Cygwin.

I want to reduce the external attack surface and ideally only the virtual Linux guest should be able to remotely log.

Constraints/Challenges

The Windows Cygwin SSHD daemon runs on the local account that I normal use for my projects, it would be impractical to use a very long and strong password (since this is the password re-enter every time I leave my desk).
It would be nice to use a different password for SSH, but I think that in this case I should create a different account with a different user home directory, which would make difficult to share files.
The guest IP is dynamically assigned by the virtual machine application software. Therefore it is difficult restrict the remote IPs logging to SSH.
I need to check often my project against new Arch Linux versions, so I start from a clean ISO and I install my project files via the SFTP share. Therefore I can't easily put a private key on the client, as files get to the guest system when the connection is already established.

Solution Security

My current ideas consist in combining an alphanumeric password with a restriction of the remote connections to the private address space, via host access control files:

# /etc/hosts.allow
sshd: 192.168.0.0/255.255.255.0

# /etc/hosts.deny
sshd: ALL

This is still not satisfactory, since a hacker in a public Wi-Fi network might brute force the password.

If there are safer or more efficient ways to share files between host and guest machine, please fill an answer.

Update

I am currently using VMware Player, but I make my tests with Virtual Box too.

Shared folders

Someone suggested the use of shared folders. As noted sub 3, I need often to test my projects against the current ISO.

VMware Shared folders do not have an official Arch package. VirtualBox Shared folders do have an official Arch package, but I saw it is often required to reboot to make changes effective, which is useless in the ISO static environment.

Which VM are you using? This strongly influences your options. — Mark, Sep 13 '14 at 17:43
@Mark: VMware Player or Virtual Box. I updated the question too. — antonio, Sep 13 '14 at 18:22
Are you aware of shared folders? Both VMware and Virtual Box support them. https://www.virtualbox.org/manual/ch04.html — paj28, Sep 13 '14 at 20:02

score 1 · Answer 1 · answered Sep 13 '14 at 18:32

I'm not familiar with VMWare Player, but with VirtualBox, if the network is in "NAT" mode (or, presumably, host-only mode, but I haven't tested it), the source IP address for network connections from the guest to the host is the address of the host's network adapter. For example, if the host's address is 192.168.0.10, connections from the guest will show up as coming from high-numbered ports on 192.168.0.10.

If you set your hosts.allow file to only permit connections from the VM host's public address, this should provide the security you need.

As an alternative option, VirtualBox supports "shared folders": portions of the host's filesystem that are accessible from the guest. This requires support software on the guest, though, and an Arch LiveCD may not have it.

+1 As for VMware shared folders, the problem is that there is no official Arch package. The setup from user contributed repositories is rather time consuming (if it works) and when I restart the ISO everything is gone. I can make a custom ISO or a persistent installation, but every time I need to test a new Arch release I have to recompile the packages and reinstall them. SSH and friends are already in Arch as with every distro. To tell the truth I haven't tried with Virtual Box yet. I will do and report here. — antonio, Sep 13 '14 at 21:44