121 lines
4.0 KiB
Markdown
121 lines
4.0 KiB
Markdown
---
|
|
title: "Build a secure reception folder for SFTP files transfer"
|
|
date: 2019-02-04
|
|
last_modified_at: 2022-06-11 11:31
|
|
url: build-a-secure-reception-folder-for-sftp-files-transfer
|
|
layout: post
|
|
category: Security
|
|
image: /img/blog/build-a-secure-reception-folder-for-sftp-files-transfer.png
|
|
description: "How to transfer files over SFTP to a server with less privileges as possible ?"
|
|
---
|
|
|
|
[![A missing blog post image](/img/blog/build-a-secure-reception-folder-for-sftp-files-transfer.png)](/img/blog/build-a-secure-reception-folder-for-sftp-files-transfer.png)
|
|
|
|
### Introduction
|
|
|
|
Using SFTP from SSH daemon is, in my opinion, not really well-documented and thrown errors are not always very explicit.
|
|
Add some security in the mix and nothing works as expected.
|
|
|
|
This is a short guide (acting a bit as a memo I admit) for SSH + SFTP + Chroot + Public key authentication :wink:
|
|
|
|
### The procedure
|
|
|
|
#### On "SFTP" server side
|
|
|
|
Firstly we will create a new unprivileged user, without any password :
|
|
|
|
{% highlight bash %}
|
|
adduser archiver \
|
|
-s /bin/bash \
|
|
--home /home/archiver \
|
|
--disabled-password
|
|
{% endhighlight %}
|
|
|
|
Now that is done, we may start our reception folder creation (still as `root`) :
|
|
|
|
{% highlight bash %}
|
|
mkdir -p /home/archiver/chroot/folder
|
|
{% endhighlight %}
|
|
|
|
As clients will put their files into `folder/`, the system user they will be using must have permissions on it :
|
|
|
|
{% highlight bash %}
|
|
chown archiver:archiver /home/archiver/chroot/folder
|
|
{% endhighlight %}
|
|
|
|
:warning: **This is important, each one of the path elements leading to the _chroot_ destination folder MUST HAVE `0755` UNIX permissions at most** :warning:
|
|
|
|
You can enforce this statement with the following (commented lines should be already OK, but who knows ?) :
|
|
|
|
{% highlight bash %}
|
|
#chmod 0755 /
|
|
#chmod 0755 /home
|
|
#chmod 0755 /home/archiver
|
|
chmod 0755 /home/archiver/chroot
|
|
{% endhighlight %}
|
|
|
|
> If you don't, `ssh` won't be able to _chroot_ anywhere and your operations will crash with misguiding error in SSH logs.
|
|
|
|
Now we may tweak SSH configuration (`/etc/ssh/sshd_config`) :
|
|
|
|
{% highlight config %}
|
|
# ...
|
|
|
|
Match User archiver
|
|
X11Forwarding no
|
|
AllowTCPForwarding no
|
|
ChrootDirectory /home/archiver/chroot/
|
|
ForceCommand internal-sftp -P read,remove -d folder/
|
|
{% endhighlight %}
|
|
|
|
---
|
|
|
|
The `-P` parameter allows us to restrain the operations that clients will be able to perform (black-list).
|
|
With `read,remove` set, clients won't be able to fetch nor remove any files already present (useful for a write-only backup folder).
|
|
Run `/usr/lib/openssh/sftp-server -Q requests` to check which protocol requests you may provide.
|
|
I've tried to use the `-p` that is on the contrary a protocol requests white-list, but couldn't figure out why it didn't work with the thrown errors...
|
|
|
|
> Please note that those protocol requests HAVE NOTHING TO DO with the (S)FTP commands that could be sent (`put`, `get`, `cd`, etc.).
|
|
|
|
The `-d` parameter will directly set clients into `folder/`.
|
|
This is very useful for interactive FTP operations because it allows clients not to `cd` somewhere and directly perform their actions.
|
|
|
|
---
|
|
|
|
Finally, we restart the `sshd` daemon :
|
|
|
|
{% highlight bash %}
|
|
systemctl restart ssh.service
|
|
{% endhighlight %}
|
|
|
|
#### On "SFTP" client side
|
|
|
|
We will begin here by generating a new ED25519 keys pair :
|
|
|
|
{% highlight bash %}
|
|
cd
|
|
ssh-keygen -t ed25519
|
|
cat .ssh/id_ed25519.pub
|
|
# Copy here the displayed public key
|
|
{% endhighlight %}
|
|
|
|
> Before continuing, you'll have to paste the public key within `/home/archiver/.ssh/authorized_keys` file on your SFTP server.
|
|
|
|
Now, you should be allowed to perform your first SFTP operation (:tada:) :
|
|
|
|
{% highlight bash %}
|
|
sftp -q archiver@YOUR.SFTP.SERVER.IP:/folder/ <<< $'put your_file_to_be_transfered.tar.gz'
|
|
{% endhighlight %}
|
|
|
|
> The command issued in the snippet above IS AN EXAMPLE. Feel free to adapt it your way.
|
|
|
|
### Conclusion
|
|
|
|
:wave:
|
|
|
|
### References
|
|
|
|
* [sftp-server(8) - OpenBSD manual pages](https://man.openbsd.org/sftp-server.8)
|
|
|
|
* [https://en.wikibooks.org/wiki/OpenSSH/Cookbook/File_Transfer_with_SFTP](https://en.wikibooks.org/wiki/OpenSSH/Cookbook/File_Transfer_with_SFTP)
|