- Published on
SFTP
- Authors
- Name
- Jackson Chen
Troubleshooting
SFTP logs - Linux
# Verify the logs
tail -f /var/log/secure # verify login / security logs
tail -f /var/log/messages # verify message log
Test SFTP connection
sftp -vvv <username>@<sftp-server-ip | sftp-fqdn>
# check output for login and access information
How to generate ssh public and private key pair, and x509 PEM files
# Create private key and public key pair
ssh-keygen
Note:
Follow the prompt instruction to create the private and public key pair
# Convert private key to .p8 file
openssl pkcs8 -topk8 -in private_key -out private_key.p8
# Create private key certificate file, in der format
# This cert file needs to be imported to key store when configure SFTP connection, if needed
openssl rsa -in private_key.p8 -out private_key.der -outform der
# Creat public key x509 format file
# This public key x509 cert file can be used to be imported to key store of SFTP client, so
# SFTP client connect to SFTP server will not prompt to access the public key when connecting via SFTP, or SSH
# Note:
# a. The SFTP server need to add SFTP client public key to known_hosts file
openssl req -x509 -new -key private_key -days 365 \
-out public_key.pem \
-subj "/CN=FQDN"
How to connect to SFTP servers via non standard FTP port
# Connect to SFTP server on TCP 2222
sftp -P 2222 remoteuser@sftp-host.fqdn # non standard port
sftp -P 22 remoteuser@sftp-host.fqdn # standard TCP 22
Note:
If the SFTP client and SFTP server has been configured to use Public Key as described above, then
no login credential is required, as it will be using
a. SFTP client private key # locates at the client system
b. SFTP client public key # added to SFTP server known-hosts
c. SFTP server public key x509 PEM imported to SFTP client key store
How to setup an SFTP Server on RHEL
https://www.techrepublic.com/article/how-to-set-up-an-sftp-server-on-linux/
- Install SFTP and open firewall
# Verify sftp is enabled on the Linux system
ps -e | grep -i sftp # if no output, then sftp service is not running
# Check whether SSH is installed
rpm -qa | grep ssh
# Install SFTP server, if not installed
yum install openssh-server -y
# start the SSH service and enable it to start at boot
systemctl start-sshd
systemctl enable sshd
#** Open port 22
# Verify port 22 or ssh service is allowed
iptables -S
firewall-cmd --list-services
firewall-cmd --list-ports
# Add ssh service or port 22 if required
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
firewall-cmd --permanent --add-service=ssh
firewall-cmd --reload
# Restart sshd service
systemctl restart sshd && systemctl status sshd
- Create SFTP directory
# Create SFTP directory
# The directory is used to host the upload files
# This is different directory than the SFTP user home directory
mkdir -p /data/ftproot
chmod 701 /data/ftproot
#** Create SFTP user Home directory
# when using local user
mkdir -p /data/ftpusers
# when using domain user
realm permit domainuser01 # user home drive will be at /home/domainuser01
mkdir -p /home/domainuser01
chown -p /home/domainuser01 . #
domainuser01 domain user /home/domainuser01 # Folder permission
- Create SFTP user group
#***** Create SFTP user group
# Create SFTP group
groupadd sftp_users
#***** Create the SFTP user that doesn't have regular login privileges, and belongs to the newly created sftp_users group
useradd -g sftp_users -d /data/ftpusers/<sftpuserlogin> -s /sbin/nologin <sftpuserlogin>
# Where
sftpuserlogin is the login name of the sftp user
# Next, give the new user a password
passwd sftpuserlogin
Note: If using domain user, then
realm permit domainuser01
- Create SFTP user upload directory
#**** Create the new SFTP user SFTP directory
# We create upload directory for the new SFTP user, and configure permission
#
# Note: /data/ftproot/<sftpuserlogin> must have root as the owner
#
mkdir -p /data/ftproot/<sftpuserlogin/upload
chown -R root:sftp_users /data/ftproot/<sftpuserlogin>
chown -R <sftpuserlogin>:sftp_users /data/ftproot/<sftpuserlogin>/upload
#**** This would work
realm permit domainuser01 # Grant domainuser ssh permission to the SFTP server
mkdir -p /home/domainuser01 # create user home drive
chown -p /home/domainuser01 . # grant user permissoin to home drive
mkdir -p /data/ftproot/domainuser01 # create SFTP user directory
chown domainuser01 /data/ftproot/domainuser01 # Directory permission "domainuser01 root"
mkdir -p /data/ftproot/domainuser01/upload # create user SFTP upload directory
chown domainuser01 /data/ftproot/domainuser01/upload
chgrp "domain user" /data/ftproot/domainuser01/upload
# Directory permission "domainuser01 domain user"
- Configure ssh_config
# Configure sshd
vi /etc/ssh/sshd_config
# At the bottom of the file, add the following
Match Group sftp_users
ChrootDirectory /data/ftproot/%u
ForceCommand internal-sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
Where
ForceCommand internal-sftp # restricts the user to SFTP and disallows SSH
ChrootDirectory /data/ftproot/%u # confines the user to their own directory
When FTP user login, they need to change to /upload directory and then upload the files
Note: The user does not have permission at /data/ftproot/%u directory to upload files
# Save and restart the sshd service
systemctl reload sshd # reload sshd_config if needs
systemctl restart sshd
# Testing sftp login
sftp sftpuserlogin@sftp_server_ip
# After succesfully login, it will land at
sftp > # Remote working directory: /upload
sftp > cd upload # change to upload directory
sftp >
How to connect to SFTP with SSH key
# On the sftp client, download the ssh pubic key
# Upload the sftp client SSH public key to the SFTP server
# Copy the sftp client SSH public key content to the SFTP user /home/domainuser01/.ssh/authorized_keys
cat <SFTP user client SSH public key> >> /home/domainuser01/.ssh/authorized_keys
# Test connection from SFTP client
sftp -i <privatekey> sftpuser@sftpserver_ip
sftp -oIdentityFile=<privatekey.file> sftpuser@sftpserver_ip # If the SFTP server won't accept "-i" option
Note:
Cisco IM & Present requires to use rsa 3072 with shorter public key size