SCP and SFTP
The Secure copy (SCP) is a protocol to transfer files via a Secure Shell connection. The SSH file transfer protocol (SFTP) is a related protocol, also relying on a secure shell back-end. Both protocols allow secure file transfers, encrypting passwords and transferred data. The SFTP protocol, however, features additional capabilities like, for example, resuming broken transfers or remote file manipulation like deletion.
Contents
Secure file transfer protocol (SFTP)
Install and configure OpenSSH. Once running, SFTP is available by default.
Access files with the sftp program or SSHFS. Many standard FTP programs should work as well.
Secure file transfer protocol (SFTP) with a chroot jail
Sysadmins can jail a subset of users to a chroot jail using openssh thus restricting their access to a particular directory tree. This can be useful to simply share some files without granting full system access or shell access. Users with this type of setup may use SFTP clients such as filezilla to put/get files in the chroot jail.
Setup the filesystem
Create a jail directory:
# mkdir -p /var/lib/jail
Optionally, bind mount the filesystem to be shared to this directory. In this example, /mnt/data/share
is to be used. It is owned by root and has octal permissions of 755.
# mount -o bind /mnt/data/share /var/lib/jail
/etc/fstab
to make the bind mount survive a reboot.Create an unprivileged user
Create the share user and setup a good password:
# useradd -g sshusers -d /var/lib/jail foo # passwd foo
Setup OpenSSH
Add the following to the end of /etc/ssh/sshd_config
to enable the share and to enforce the restrictions:
/etc/ssh/sshd_config
... Match group sshusers ChrootDirectory %h X11Forwarding no AllowTcpForwarding no PasswordAuthentication yes ForceCommand internal-sftp
Restart sshd.service
to re-read the config file.
Test that in fact, the restrictions are enforced by attempting an ssh connection via the shell. The ssh server should return a polite notice of the setup:
$ ssh foo@someserver.com
foo@someserver.com's password: This service allows sftp connections only. Connection to someserver.com closed.
Secure copy protocol (SCP)
Install, configure and start OpenSSH. It contains the scp utility to transfer files.
More features are available by installing additional packages, for example rsshAUR or scponly described below.
General Usage
Linux to Linux
Copy file from a remote host to local host SCP example:
$ scp username@from_host:file.txt /local/directory/
Copy file from local host to a remote host SCP example:
$ scp file.txt username@to_host:/remote/directory/
Copy directory from a remote host to local host SCP example:
$ scp -r username@from_host:/remote/directory/ /local/directory/
Copy directory from local host to a remote hos SCP example:
$ scp -r /local/directory/ username@to_host:/remote/directory/
Copy file from remote host to remote host SCP example:
$ scp username@from_host:/remote/directory/file.txt username@to_host:/remote/directory/
Linux to Windows
Use a Windows program such as WinSCP
Scponly
Scponly is a limited shell for allowing users scp/sftp access and only scp/sftp access. Additionally, one can setup scponly to chroot the user into a particular directory increasing the level of security.
For existing users, simply set the user's shell to scponly:
# usermod -s /usr/bin/scponly username
Adding a chroot jail
The package comes with a script to create a chroot. To use it, run:
# /usr/share/doc/scponly/setup_chroot.sh
- Provide answers
- Check that
/path/to/chroot
hasroot:root
owner andr-x
for others - Change the shell for selected user to
/usr/bin/scponlyc
- sftp-server may require some libnss modules such as libnss_files. Copy them to chroot's
/lib
path.