How can I setup the openSSH SFTP server on Linux?

10

1

I want to configure sftp-server to share a directory but I don't know how to modify /etc/ssh/sshd_config.

My requirements are:

1) Login shall not use certificates, only password (i.e. authorization uses password method)

2) I want to login with user: ftp, password: foo and share directory /home/ftp.

3) I have an application which from time to time needs to download a file from the server, I don't need to login with a full operating client.

So far I added the following lines to /etc/ssh/sshd_config:

Protocol 2
Subsystem sftp /usr/libexec/sftp-server
Match User ftp
   ForceCommand internal-sftp
   ChrootDirectory /home/ftp

Everything else is commented.

/home/ftp is an empty directory at present moment.

Access works if I try to download a file using root credentials but it doesn't work if I use ftp credentials. Do I need to set a login shell? Do I need to populate /home/ftp somehow?

EDIT: This is my sshd log:

subsystem request for sftp
debug1: subsystem: exec() internal-sftp
debug1: Forced command (config) 'internal-sftp '
debug2: fd 3 setting TCP_NODELAY
debug2: fd 9 setting O_NONBLOCK
debug2: fd 8 setting O_NONBLOCK
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 17613
debug1: session_exit_message: session 0 channel 0 pid 17613
debug2: channel 0: request exit-status confirm 0
debug1: session_exit_message: release channel 0
debug2: channel 0: write failed
debug2: channel 0: close_write
debug2: channel 0: send eow
debug2: channel 0: output open -> closed
debug2: channel 0: read<=0 rfd 9 len 0
debug2: channel 0: read failed
debug2: channel 0: close_read
debug2: channel 0: input open -> drain
debug2: channel 0: ibuf empty
debug2: channel 0: send eof
debug2: channel 0: input drain -> closed
debug2: channel 0: send close
debug2: notify_done: reading
debug3: channel 0: will not send data after close
debug3: channel 0: will not send data after close
User child is on pid 17611
debug3: mm_request_receive entering

* The client hangs here (until a timeout occurs) *

Please note, again, that if I login as "root" the file downloads correctly. It also downloads correctly if I comment out the last three lines of the configuration file (i.e. the Match line and the following 2).

Emiliano

Posted 2011-09-30T16:00:39.783

Reputation: 663

Have you tried only specifying one of the Match options? What happens when you use a real SFTP client? Can you still connect using a normal SSH client, e.g. ssh, or PuTTY on Windows? What version of OpenSSH are you using? – Daniel Beck – 2011-09-30T18:08:57.120

Answers

7

You need make sure /home/ftp is owned by root and that group and others don't have write permissions, e.g. chmod 0755. You need to add sub-directories for ftp to add files in.

You also need the internal-sftp subsystem, otherwise you need to provide a proper chroot environment in /home/ftp:

Subsystem sftp internal-sftp

To disallow all non-password kinds of login, enter

ChallengeResponseAuthentication no
GSSAPIAuthentication no
PubkeyAuthentication no

These are activated by default.

Daniel Beck

Posted 2011-09-30T16:00:39.783

Reputation: 98 421

Replacing my Subsystem line with yours (and setting directory permission) makes my error string to disappear, however my client programs "hangs" and doesn't download the file I need (I can download it using root credentials). Is there any way to make sshd output more verbose? – Emiliano – 2011-09-30T16:56:42.230

Try only adding a single configuration item in turn and test whether you can connect to determine which of the options is at fault, or whether it's maybe a combination of options. You should have some output in /var/log/secure, at least that's where I get it on my system. – Daniel Beck – 2011-09-30T17:00:32.947

I have raised my login level using the LogLevel directive. I can read string in /var/log/messages. I have the following: Failed none for ftp [...] followed by Accepted password for ftp [...] and User child is on pid 7658. The client hangs and then times out – Emiliano – 2011-09-30T17:04:58.760

@happy_emi Consider adding that information to your question. – Daniel Beck – 2011-09-30T17:06:03.097

It looks like it was a problem of directory permissions. sshd_config was just fine. – Emiliano – 2011-10-05T10:02:08.223

Asked: 2011-09-30T16:00:39.783

Viewed: 37 214 times

Active: 2011-09-30T18:03:00.490