Simple SFTP setup

This SFTP setup is NOT chrooted, nor otherwise restricted against root connections

A minimal initial install was spun up. Then, the packages were installed beyond a minimal base install: rsync man and openssh-clients

 

[[email protected] ~]# reset 
[[email protected] ~]# cat sftp-setup.txt 

    5  yum install rsync man 
    6  yum install openssh-clients 
   11  grep sftp /etc/services     
   12  cd /etc/sysconfig/          
   13  joe iptables                
   14  vi iptables                 
   15  service iptables restart    
   18  passwd                      
   19  sftp localhost              
   20  ssh localhost               
   21  history > sftp-setup.txt    

We explicitly open the sftp port; it is not clear that this is required:

 

# Firewall configuration written by system-config-firewall 
# Manual customization of this file is not recommended.   
*filter                                                   
:INPUT ACCEPT [0:0]                                       
:FORWARD ACCEPT [0:0]                                     
:OUTPUT ACCEPT [0:0]                                      
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT   
-A INPUT -p icmp -j ACCEPT                                
-A INPUT -i lo -j ACCEPT                                  
-A INPUT -i eth1 -j ACCEPT                                
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport sftp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited             
-A FORWARD -j REJECT --reject-with icmp-host-prohibited           
COMMIT

This is the list of services running:

 

acpid           0:off   1:off   2:on    3:on    4:on    5:on    6:off 
atd             0:off   1:off   2:off   3:on    4:on    5:on    6:off
auditd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
ip6tables       0:off   1:off   2:on    3:on    4:on    5:on    6:off
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
netfs           0:off   1:off   2:off   3:on    4:on    5:on    6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
restorecond     0:off   1:off   2:on    3:on    4:on    5:on    6:off
rsyslog         0:off   1:off   2:on    3:on    4:on    5:on    6:off
sendmail        0:off   1:off   2:on    3:on    4:on    5:on    6:off
snmpd           0:off   1:off   2:on    3:on    4:on    5:on    6:off
udev-post       0:off   1:on    2:on    3:on    4:on    5:on    6:off

And proof of concept -- note that we did NOT alter /etc/ssh/sshd_config in this example:

 

[roothost-172-16-1-198 ~]# sftp localhost 
Connecting to localhost...
[email protected]'s password:
sftp> ls
sftp-setup.txt
sftp> ls -l
-rw-r--r--    1 root     root         1830 Oct 15 08:31 sftp-setup.txt
sftp> quit
[[email protected] ~]#

and ssh access:

 

[[email protected] ~]# ssh localhost 
[email protected]'s password:
Last login: Mon Oct 15 08:30:29 2012 from 10.16.1.106
[[email protected] ~]# logout
Connection to localhost closed.
[[email protected] ~]#

Both 'keyed ssh' authentication, and password based authentication will work. From a remote host, when the key is present, we are NOT challenged for the password. Then after an edit to disable the key from being offered remotely, we are then prompted for the password:

 

[[email protected] ~]$ # keyed ssh set up 
[[email protected] ~]$ date
Mon Oct 15 12:57:07 EDT 2012
[[email protected] ~]$ sftp [email protected]
Connecting to 10.16.1.194...
sftp> ls
sftp-setup.txt
sftp> quit
[[email protected] ~]$ # remove the key
[[email protected] ~]$ sftp [email protected]
Connecting to 10.16.1.194...
[email protected]'s password:
sftp> ls
sftp-setup.txt
sftp> quit
[[email protected] ~]$ date
Mon Oct 15 12:57:33 EDT 2012
[[email protected] ~]$

We do not address hardening issues here such as wrappers or more restrictive iptables rules, as they are out of scope of this article.

 

Was this answer helpful?

 Print this Article

Also Read

Create custom SSH login welcome message

If you like to change the default welcome message for SSH login for your VPS or dedicated Linux...

CentOS / Red Hat Linux Install VSFTPD FTP Server

Q. How do I configure and install an FTP server in CentOS / RHEL 5 / Fedora Linux...

Assign Additional IP Addresses in RedHat/CentOS

If you are using cPanel, you should add the IP addresses through WHM.  Do not follow...

Securing OpenSSH

OpenSSH (or Secure SHell) has become a de facto standard for remote access replacing...

CentOS Directory Server, Basic Install

Prerequisites This guide is written to assume that you have a minimal install of CentOS-5.x....