SFTP For Business Use
 by John K. Norden

Many months ago, the organization I work for placed a request with our development department for a secure file transfer system. The file transfer system needed to be far more secure than FTP and more reliable than creating an HTTP uploading system. After a few weeks of research and testing, I suggested that we create an SFTP Server to handle the file uploads.

What is SFTP?

The most frequent question I received from management was: "What is SFTP?" In essence, SFTP is an interactive file transfer program, similar to FTP, except that SFTP performs all operations in an encrypted manner. It utilizes public key authentication and compression. It connects and logs into a specified host, then enters an interactive command mode. Utilizing SFTP requires the installation of the OpenSSH suite of tools. OpenSSH encrypts all traffic (including passwords) to reduce the likelihood of eavesdropping and connection hacking.

Why not just use FTP?

The major reason for implementing SFTP versus FTP is security. FTP is not even remotely secure. During an FTP session, your username and password are transmitted in clear text. If someone is eavesdropping, it is not difficult for them to log your FTP username and password.

Installation Steps

Please note that I assume that you will be using Linux to host your SFTP server. It is possible to do this through Windows, using Cygwin.

The remainder of this article will be generalized installation and setup instructions for creating an SFTP system. There are many "howtos" available on the Internet; however, most do not include restricting the user's login shell or using a client to establish an SFTP session with your SFTP server. This instruction set will include:

  1. Setup and configuration for OpenSSH
  2. Building a restricted shell for users using RSSH
  3. Implementing an interface for your SFTP server

Setup and Configuration for OpenSSH

Step 1 – Configure your client SSH configuration file

Using your favorite editor, open the ssh_config file. This is usually found in /etc/ssh_conf. In most cases, this file can be left as its default; however, you can change it to affect each user's session.

Step 2 – Configure your server SSH configuration file

  1. Using your favorite editor, open the sshd_config file. This is usually found in /etc/sshd_conf.
  2. There is only one change that needs to be made to this file to enhance security. You must make sure that the Authentication section of the file has the following values set: 
        # Authentication:
    LoginGraceTime 1m 		# only need 1 minute to allow login time
    PermitRootLogin no		# do not allow root login
    #StrictModes yes		# default is yes – this should stay
    MaxAuthTries 3		# set max tries to 3 (default is 6)
  3. All other settings are okay for the SFTP environment.
  4. Start your SSH service and set it to run by default. This will differ from flavor to flavor; I use Gentoo. 
        /etc/init.d/sshd start		# this will start your ssh service
  5. Now, let's test your sftp connection by logging in as a user of the system. If you do not have a user created on the system other than root, create one now. 
        $ sftp joeblow@localhost
    
    RSA keyfingerprint is ***********************.
    
    Are you sure you want to continue connecting (yes/no)?
  6. After you have said "yes" to the above, your sftp connection will be established, and you will have the following prompt waiting: 
        sftp>
  7. As with FTP, you can use the get and put commands; we will not be interacting at the commandline with the SFTP server, but you can.

Step 3 – Build a restricted shell for users using RSSH

  1. Install RSS. If you are using Gentoo, you can emerge the rssh package.
  2. After installation, you need to add rssh to the list of allowed shells. 
        $ echo /usr/bin/rssh >> /etc/shells
  3. You'll need to edit the /etc/rssh.conf file to allow chrooting and sftp: 
        logfacility = LOG_USER
    allowsftp
    umask = 022
    chrootpath="/home"
  4. You must build a chroot environment for rssh. You'll have to copy some files to the /home directory to make it work properly: 
        $ cd /home 
    $ mkdir -p usr/bin 
    $ cp /usr/bin/sftp usr/bin 
    $ cp /usr/bin/rssh usr/bin 
    $ mkdir -p usr/libexec 
    $ cp /usr/libexec/rssh_chroot_helper usr/libexec 
    $ mkdir -p usr/lib/misc 
    $ cp /usr/lib/misc/sftp-server usr/lib/misc
  5. You'll need to copy the dependencies of the above files. To do this properly, you'll need to use the ldd command to list the dependencies needed: 
        $ ldd /usr/bin/sftp 
    
    libresolv.so.2 => /lib/libresolv.so.2 (0xb7fc5000)
    libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0xb7ece000)
    libutil.so.1 => /lib/libutil.so.1 (0xb7eca000)
    libz.so.1 => /lib/libz.so.1 (0xb7eba000)
    libnsl.so.1 => /lib/libnsl.so.1 (0xb7ea5000)
    libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7e78000)
    libc.so.6 => /lib/libc.so.6 (0xb7d68000)
    libdl.so.2 => /lib/libdl.so.2 (0xb7d64000)
    /lib/ld-linux.so.2 (0xb7feb000)
  6. You'll need to make directories for the above dependencies and copy the libs needed for SFTP: 
        $ mkdir lib
    $ cp /lib/<dependency>
    $ mkdir -p usr/lib
    $ cp /usr/lib/<dependency>
  7. The above actions will need to be repeated for: 
        $ ldd /usr/bin/rssh
    $ ldd /usr/libexec/rssh_chroot_helper
    $ ldd /usr/lib/misc/sftp-server
  8. Once finished, you can add a user or modify a user. You must make sure that when you add or modify, you set the user's shell to /usr/bin/rssh.

Step 4 - Implementing an interface for your SFTP server

Having non-technical individuals interface with your SFTP server via the commandline isn't the best way. You will want to utilize a third party tool. There are two main ways you can work with your SFTP server from the client side:

WinSCP
This is a free Windows-based sftp client. It is a great tool because it works the same as most FTP clients.
A Web-based interface
Using a Web-based interface is by far the best way to allow interaction with your SFTP server. The downside to this is that it is not free. If you choose this route, I would recommend looking at JScape's SFTP applet.

Problems with the system

As with implementing any type of technology, there are always limits. The limit to SFTP is that the users cannot be virtual users as they were with FTP. Each user that interacts with the system must have her own account. (Don't worry; this is why you create the restricted shell and only give them access to the sftp command.)

If you choose to implement the client side using a Web-based client, you should consider having the client interface with a user database for authentication. The reason for this is that Web-based SFTP clients such as JScape offer the ability to further restrict individuals to a specified directory. In essence, you could have a table that contains the username, password, and user's home directory. When the user logs in using the Web client, the table is queried and the user is logged in based on her record in the database. This is more work on your part, but it gives the users the feeling of a well-integrated system.

Conclusion

SFTP and OpenSSH are great solutions for providing a secured file transfer system. The system takes time to implement, but the return on investment is very apparent... no eavesdropping or hacked FTP.

Author's bio:

John K. Norden is a Systems Developer with the International Center for Entrepreneurial Development (ICED) and an Adjunct Instructor at ITT-Technical Institutes's Houston North Campus. John specializes in Web-based application development in both a Windows and Linux environment. More recently, John has become involved in the implementation of information security procedures and protocols at ICED.