OpenSSHd SFTP w/ Upload Only account (no patching required)


Recommended Posts

Squirrelington

A brief summary of why I was attempting to do this, the pitfalls I experienced and how I overcame the obstacles.

 

The department I work in at the company I am employed frequently has a need to upload data from a customers system but also sometimes needs to be able to give login credentials to another external entity (such as a local IT professional) to upload data. Ultimately we wanted to have a single user for the purpose of uploading data but was secure in the fact that other users using this login couldn't download each others data before it was removed from the server by us.

 

For the past year we have been using ProFTPd to achieve this functionality and it had been working fine up until recently. It now seemingly randomly stops accepting new connections and I was getting frustrated. Initially when I setup the server I had attempted to use OpenSSHd's internal-sftp and /usr/lib/sftp-server to achieve what I wanted to do using a combination of chroot and umask but ultimately fell flat. Umask left us with the user able to create directories and not enter them unless I allowed a umask that gave permissions i was trying to restrict and it also didn't stop a user from chmodding in their sftp client. Searching google left me with tons of answers, none of them fit exactly what we were trying to do unless we patched opensshd and recompiled, something I was attempting to avoid for the sake of ease of maintenance (updating with apt-get rather than manually compiling in patches each time a new version comes out).

 

I had finally figured out how to make this system work and it may seem relatively obvious but there was no info I could find on google for this, at least with the keywords I was trying, and hopefully this helps someone out. :)

 

---

 

First I added the users we will have in the system for SFTP.

adduser conversions

adduser uploadonly

 

For the conversions and uploadonly user

  • Like 1
Link to post
Share on other sites
Squirrelington

I didn't really mention it up there but, for clarification, the conversions account is an account that can download and upload and we use that for employees only so we can transfer whatever and the uploadonly account is the limited one we usually use for just uploading and handing out to vendors and IT people.

Link to post
Share on other sites
binaryzero

glFTPD could've possibly done what you were trying to achieve. 

Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By indospot
      Windows Server 2019 officially supports OpenSSH for the first time
      by João Carrasqueira



      Back in 2015, Microsoft said it would build OpenSSH, a set of utilities that allow clients and servers to connect securely, into Windows, while also making contributions to its development. Since then, the company has delivered on that promise in recent releases of Windows 10, being introduced as a feature-on-demand in version 1803.

      However, Windows Server hadn't received the feature until now, at least not in an officially supported way - Windows Server version 1709 included it as a pre-release feature. But that's finally changed, as Microsoft today revealed that Windows Server 2019, which was made available (again) in November, includes OpenSSH as a supported feature.

      OpenSSH has been around for a while, and it was born as part of the OpenBSD project. Linux, macOS, and many more have used it for some time, and its addition to Windows Server means that organizations can use the same tools across many different operating systems, including Windows.

      You can learn more about OpenSSH in Windows from Microsoft Docs, or you can visit the GitHub project for the Win32 port of OpenSSH.

    • By zoheb
      I need to work on getting call recordings from third party location to our SFTP servers. They gave us two options. 
       
      1. They push them automatically to us. They can only send them in FTP format but not SFTP format. I don't know if this a problem or not so let me know. 
       
      2. If FTP is a problem then the other way they can do it is set up an FTP server on their side that we can access and pull records to our SFTP server. 
       
      Let me know which of the options we would like to go with so that we can proceed with it.
       
      If we pull recordings from their FTP server to our SFTP server, Will it be secure? 
       
      TIA !! 
    • By +spikey_richie
      Does anyone know of an SFTP solution (preferably free) which allows verbose logging? I'd like to see when a client (service) connects and disconnects, but Solarwinds SFTP doesn't give me that granularity of detail.
    • By StrAbZ
      Hi!
      I'd like to present you Steed, which started its public beta 2 weeks ago. I'm one of the developers of the application, and we've been working hard for months on this project.

      As the title says, Steed is an FTP, SFTP, Azure and S3 client, it allows you to browse and transfer files from each of these "protocols".
      We though windows needed an file transfer client, that was visually appealing, easy to use, and up to date.
      We know there is a lot of other FTP client on the market, but we though this one would bring something new to the Windows application ecosystem.
      You can find it at : www.frenchfrysoftware.com/steed,
      It has been build for Windows 7, but also support XP, and Vista. It might also work on Windows 8, even if it is not officially supported for now.
      Keep in mind that this is a beta.
      You can provide us feedback on our support page, or you can contact us via twitter.
      I hope you'll enjoy it!