The basic SFTP service requires no additional setup, it is a built-in part of the OpenSSH server. However, the same options and tricks available for the regular SSH client are also available for SFTP clients. Some options may have to be specified with the full option name using the -o argument.
For many graphical SFTP clients, it is possible to use a regular URL to point to the target. Many file managers nowadays have built-in support for SFTP. See the section "GUI Clients" above.
The subsystem sftp-server implements SFTP file transfer. See sftp-server(8). The subsystem internal-sftp implements an in-process SFTP server which may simplify configurations using ChrootDirectory to force a different filesystem root on clients.
Just to say it again, regular SFTP access requires no additional changes from the default configuration. SFTP provides a very easy to use and very easy to configure option for accessing a remote system. The usual clients can be used or special ones like sshfs.
SFTP uploads or downloads can be automated. The prerequisite is key-based authentication. Once key-based authentication is working, a batch file can be used to carry out activities via SFTP. See batchfile (-b) in sftp(1) for details.
sftp -b /home/fred/cmds.batch -i /home/fred/.ssh/foo_key_rsa server.example.org:/home/fred/logs/
If a dash (-) is used as the batchfile name, SFTP commands will be read from stdin.
echo "put /var/log/foobar.log" | sftp -b - -i /home/fred/.ssh/foo_key_rsa server.example.org:/home/fred/logs/
More than one SFTP command can be sent, but it is better then to use an actual batch file.
echo -e "put /var/log/foobar.log\nput /var/log/munged.log" | sftp -b - -i /home/fred/.ssh/foo_key_rsa server.example.org:/home/fred/logs/
The batch file mode can be very useful in cron jobs and in scripting.
Using the Match directive in sshd_config(5), it is possible to limit members of a specific group to using only SFTP for interaction with the server.
Subsystem sftp internal-sftp Match Group sftp-only AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp
Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.
List group names or patterns of group names, separated by spaces, that may log in. If specified, login is allowed only for users who are members of a group that matches a group or pattern on the list. Only group names are valid; numerical group IDs are not recognized.
The allow/deny directives are processed in the following order:
- DenyGroups, and finally,
The first pattern matched takes effect.
By default, login is allowed for all groups. However, if AllowGroups or AllowUsers is specified, then all users or groups not listed are prohibited from logging in. See PATTERNS in ssh_config(5) for more information on patterns.
Chrooted SFTP-only Accounts
It's common that a group of users need to read and write files to their home directories on the server, but have little or no reason to access the rest of the file system. SFTP provides a very easy to use and very easy to configure chroot. In some cases, it is enough to chroot users to their home directories. Depending on the opensshd version this may not be usable since some versions require that the chroot-target directory and all parent directories are owned by root and not writeable by any others. In most cases home directories aren't owned by root and allow writing by at least one user. One way around this restriction is to have the home directory owned by root, but have it populated with a number of other directories and files that are owned by the actual user to which the user can write.
Subsystem sftp internal-sftp Match Group sftp-only ChrootDirectory %h AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp
Another common case is to chroot access to a web server's document root or server root.
Subsystem sftp internal-sftp Match Group webmasters ChrootDirectory /var/www AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp
Starting with OpenSSH 5.4, sshd(8) can explicitly set a umask to override the default one set by the user’s account.
# umask for sftp subsystem OpenSSH 5.4 and later Subsystem sftp internal-sftp -u 0022
Earlier versions can do the same thing through the use of a helper script, but this complicates chrooted directories very much. The helper script can be a regular script or it can be embedded inline in the configuration file though neither works easily in a chroot jail. It’s often easier to get a newer version of sshd(8) which supports umask as part of the server’s configuration.
# inline helper script for umask in OpenSSH 5.3 and earler, based on one by gilles@ Subsystem sftp /bin/sh -c 'umask 0022; /usr/libexec/openssh/sftp-server'
Another common case is to chroot a group of users to different levels of the web server they are responsible for. For obvious reasons, symbolic links going from inside the jail to parts of the filesystem outside the chroot jail are not accessible to the chrooted users. So directory hierarchies must be planned more carefully if there are special combinations of access.
Subsystem sftp internal-sftp Match Group webdevel ChrootDirectory /var/www/site1 ForceCommand internal-sftp Match Group webauthors ChrootDirectory /var/www/site1/htdocs ForceCommand internal-sftp
In these kinds of directories, it may be useful to give different levels of access to more than just one group. In that case, ACLs should be used.
Chrooted SFTP Accounts Accessible Only from Particular Addresses
More complex matching can be done. It is possible to allow a group of users to use SFTP, but not a shell login, only if they log in from a specific address or range of addresses. If they log in from the right addresses, then get SFTP and only SFTP, but if they try to log in from other addresses they will be denied access completely. Both conditions, the affirmative and negative matches, need to be accounted for.
Subsystem sftp internal-sftp Match Group sftp-only, Address 184.108.40.206 AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp ChrootDirectory /home/servers/ Match Group sftp-only, Address *,!220.127.116.11 DenyGroups sftp-only
Note that for negation a wildcard must be specified first and then the address or range to be excluded following it. Mind the spaces or lack thereof. Similar matching can be done for a range of addresses by specifying the addresses in CIDR address/mask format, such as 18.104.22.168/20. Any number of criteria can be specified and only if all of them are met then the directive in the subsequent lines take effect.
Again, the first Match block that fits is the one that takes effect, so care must be taken when constructing conditional blocks to make them fit the precise situation desired. Also, any situations that don't fit a Match conditional block will fall through the cracks. Those will get the general configuration settings whatever they may be. Specific user and source address combinations can be tested with the configurations using the -T and -C options with the server for more options. See the section Debugging a Server Configuration for more.
Chrooted SFTP with Logging
The logging daemon must establish a socket in the chroot directory for the sftp-server subsystem to access as /dev/log See the section on Logging.
Chrooted login shells
The chroot and all its components, must be root-owned directories that are not writable by any other user or group. The ChrootDirectory must contain the necessary files and directories to support the user's session. For an interactive session this requires at least a shell, typically bash or ksh sh(1), and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices. The path may contain the following tokens that are expanded at runtime once the connecting user has been authenticated: %% is replaced by a literal '%', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user.
sshfs - SFTP file transfer via local folders
Another way to transfer files back and forth, or even use them remotely, is to use sshfs It is a file system client based on SFTP and utilizes the sftp-subsystem. It can make a directory on the remote server accessible as a directory on the local file system which can be accessed by any program just as if it were a local directory. The user must have read-write privileges for mount point to use sshfs.
# create mount point 'server' in the home directory if none exists test -e ~/mountpoint || mkdir --mode 700 ~/mountpoint # mount the remote server sshfs email@example.com:. ~/mountpoint
Reading or writing files to the mount point is actually transferring data to or from the remote system. The amount of bandwidth consumed by the transfers can be reduced using compression. That can be important if the network connection has bandwidth caps or per-unit fees. However, if speed is the only issue, compression can make the transfer slower if the processors on either end are busy or not powerful enough. About the only way to be sure is to test and see which method is faster.
# alternately, see if using compression is faster or slower sshfs -C firstname.lastname@example.org:. ~/mountpoint
Or try with debugging output:
sshfs -o sshfs_debug email@example.com /home/fred/mountpoint
sshfs with a key
The ssh_command option is used to pass parameters on to ssh. In this example it is pointer to a key used for authentication to mount a remote directory, /usr/src, locally as /home/fred/src.
$ sshfs -o ssh_command="ssh -i /home/fred/.ssh/id_rsa" firstname.lastname@example.org:/usr/src /home/fred/src/