Help needed with SFTP.

wicky

wicky

play thing
I use Transmit to transfer files via FTP, but I now need to review my security.

One of the things I'd like to sort out is using SFTP instead of FTP. However, when I update any of my stored account info in Transmit (that all connect ok via FTP), they no longer work.

• I've changed the port from 21 to 22
•*I've made sure transfers are set to passive mode
• I've spoken to the ISP... they're not blocking the port
• I'm able to connect via SSH

Any ideas?

Thanx
 
A couple of things come to mind:

1) passive mode with SFTP should be irrelevant, as that is something that is FTP specific.

2) I do not know what kind of SSH server you are using, but I am assuming it is OpenSSH. If not, feel free to disregard it, though the concept may still apply. Check your sshd_config (/etc/sshd_config or /etc/ssh/sshd_config or something like that), and ensure it has a line like this in it that is not commented out:

Subsystem sftp /usr/lib/openssh/sftp-server

-- OR --

Subsystem sftp /usr/libexec/sftp-server


If it's not present, then SFTP isn't going to work. If you end up having to add it, make sure to specify the correct full path to the sftp-server binary, and then restart the ssh daemon.
 
Err... ok, not sure... might need more help.

• The passive mode switch is greyed out and unchecked when I swap to SFTP.
• I used Terminal to make an SSH connection.

The whole SSH / Terminal thing is fairly new to me, so could you possibly speak slowly in a loud voice.

Thanx a bunch
 
Sure. Sorry if I added to the confusion.

Passive mode being greyed out when switching to SFTP would be an indication that it is a feature that is not supported / needed when using SFTP, so no worries there. That just confirms what I was saying earlier, and is completely normal.

So, by your first message, I'm making the following assumptions:

1) You're using a Mac locally
2) You're trying to use SFTP rather than FTP to connect to a server somewhere on the internet, since you mentioned that your ISP is not blocking port 22.
3) Port 22 is not blocked between you and your server, where ever it sits, because you can SSH to it, and SFTP runs over SSH, so if it were blocked, neither one would work.

What I need to determine before I can possibly help further is the following:

1) What operating system is running on the server that you're trying to SFTP to?
2) Do you control the server (able to make administrative changes), or does someone else do that for you?
3) If you end up having to edit configuration files on the remote server over an SSH connection, are you familiar with vi / vim (I am assuming that the remote server is running some variation of UNIX, and is not a Windows server)?

If you do not control the server that you are trying to SFTP to, things get kind of simple (but then again, maybe not). If you do not have the ability to make administrative changes to the server in question, then contact whoever does, and ask them if their SSH server has the SFTP subsystem enabled, and if it's not, see if they will enable it for you.

If you can make administrative changes to the server in question, then my previous reply would stand. If you would need help making those changes, let me know and I'll walk you through it as best as I can.

Basically, what we need to determine is if the SSH server in question supports / has enabled the SFTP subsystem. If it does not, then that would explain why SSH works but SFTP does not.

Let me know what you find out.
 
Very thorough! :)

1. LAMP (Linux 2.6.9)
2. I've got full access
3. I just had to look up the meaning of Vi/Vim so that should tell you a great deal, although if you can provide instruction I learn quite quickly.

....let me know and I'll walk you through it as best as I can.....

Yes please!
 
Ok, we're getting somewhere. What we need to do is as follows (commands that need to be typed are in bold):

1) Connect to your server using an SSH connection from Terminal.

2) Verify that you have sudo / root privileges. Type:

sudo -v

and hit enter. You most likely will receive a prompt for a password. This is your account's password, and not root's password. Enter your account password and hit enter. sudo enables you to perform actions that normally only root would be able to do. It is likely going to be necessary to have root privileges to edit sshd_config.

3) Locate sshd_config. This one is hopefully going to be pretty easy. Type:

sudo find /etc -type f -name 'sshd_config'

If prompted for a password, enter your account password. This should hopefully print out the location for sshd_config.

4) See if the sftp subsystem is enabled. Type:

sudo grep -aHinr 'subsystem' /path/to/sshd_config (substitute the path you found in step #3 above in place of /path/sshd_config, and don't type the parenthesis or what's in between them on this line)

and hit enter. This should show up a line like the one I mentioned in my first reply, hopefully.

Now, I need two things from you:

1) Copy and paste the output from all of the steps above into a reply so I can see the output. If there is any sensitive information (passwords, etc.), please remove them or replace them with XXX or something like that.

2) Verify if you have vim. Type:

which vim

and hit enter. If it does not print out anything, type:

which vi

and hit enter. The command which will find the path to the program you wish to run if it is in your current path, and is an easy way to see if something is installed or not.

Hopefully you have vim installed, but if you do not, it is not a major problem, so don't sweat it.

Let me know what you find out or if you encounter any problems.
 
Also, it would be helpful to know what flavor of Linux you have installed, as that can make knowing where to look for necessary files a bit easier.

Thanks.
 
[root@xxx ~]# sudo find /etc -type f -name 'sshd_config'
/etc/ssh/sshd_config

[root@xxx ~]# sudo grep -aHinr 'subsystem' /etc/ssh/sshd_config
/etc/ssh/sshd_config:110:# override default of no subsystems
/etc/ssh/sshd_config:111:Subsystem sftp /usr/libexec/openssh/sftp-server

[root@xxx ~]# which vim
/usr/bin/vim

[root@xxx ~]# which vi
alias vi='vim'
/usr/bin/vim
 
drwxr-xr-x 2 root root 4096 Oct 17 2007 .
drwxr-xr-x 6 root root 4096 Oct 17 2007 ..
-rwxr-xr-x 1 root root 30784 Jul 18 2007 sftp-server
-rws--x--x 1 root root 434644 Jul 18 2007 ssh-keysign
 
That looks right to me. Based on your output, it seems like sftp should be working. I assume you have a username and password for your SSH account. If you open up Terminal and type:

sftp {username}@{servername}:{/path/to/directory}

where {username} is your SSH account name, {servername} is the name or IP address of your SFTP server, and {/path/to/directory} is the path you want to upload to / download from, what happens?

Please post the output from that. Hopefully something will stand out from that.

Let me know what happens.
 
Thanks for all your help chap, much appreciated. I had a root around in Plesk and found the issue. It turns out that I had denied shell access on a per a/c basis.

I didn't really understand the various security implications before though. The problem now is working out whether to continue with FTP or swap to SFTP.

As I understand it, FTP means everything in transfered in the open (and can therefore be intercepted), where as SFTP means everything is encrypted but I'm allowing shell access. Not sure which option is most/least secure.

Any thoughts?

Ta
 
I'm glad to hear that you were able to discover the issue in Plesk and correct it. I'm not very versed on Plesk and probably wouldn't have been much help there.

As for FTP vs. SFTP; SFTP is more secure and is recommended over SFTP. That having been said, the concern that if you are giving someone SFTP access you are also in effect giving them shell access is a valid one. There are two things I can recommend.

1) Turn off username / password prompting and use public key / private key authentication. "man sshd_config" will be your friend here, and the option to turn off (comment out) by default on most SSH servers is PasswordAuthentication. "PasswordAuthentication no" in your sshd_config will keep users from being able to supply (and therefore attempt to brute force guess) usernames and passwords for accounts. It uses either RSA or DSA private key / public key pairs, and is very secure; it is a lot more unlikely that someone will be able to brute force a combination that way. "man ssh-keygen" and "man ssh-agent" should provide some useful information here.

2) Use an alternate shell for accounts that you want to have only have SFTP access. rssh (http://www.pizzashack.org/rssh/) is perfect for this, though I must admit I don't know how well it plays with Plesk.

Those are the thoughts that immediately come to mind for ways to secure SFTP access without giving away the keys to the candy store by allowing shell access. I would advise reading up on the man pages and the links I've posted here. It should help clear things up for you some what.

HTH
 
You must log in or register to reply here.
Back
Top