SFTP pointers
Wednesday, August 8th, 2007
Some quick notes on SFTP.
Identity file
ssh and scp have an -i option for specifying which file has the private key with which to authenticate. sftp doesn’t have that switch, but you can specify one with the -o switch:
sftp -o IdentityFile=/home/user/.ssh/some_key_rsa username@hostname
Batch mode
If you want to do stuff in batch mode (from a script or something), you can use the -b option. Normally, this would require that you write a file with the commands you want to run, but with -b -, you can make sftp read the commands from STDIN:
echo "PUT myfile" | sftp -o IdentityFile=/home/user/.ssh/some_key_rsa -b - username@hostname
Most programs understand the - value for commandline arguments, and read the input not from a file but from stdin.
Allow only SFTP and not SSH
If you want to disallow SSH login, but still want to offer SFTP for a user, you can force that by specifying a command they may run in the .ssh/authorized_keys2 file:
$ cat .ssh/authorized_keys2 command="/usr/lib/sftp-server" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQDAvMJNhB2qDj0C0R4CcbIjIW2arkoAL2HsiP5zfzQfv1uMmZvrRSAO1TgW8qzw0sPRoFOOBARS1yP4Nk4LJBvM0m5BXaim4kWMS2PuoeN9W0nzkwg9+c966/ekQrDt154o8Ef3TRl7uVyOhQc//um0tekuUQ25e6GP3BsFv5Jtn7JZlejcm3d3AFgYJL/DIi43ymptT8TlapJgcUgUQ8Ts6utpvA/BDEAF4G8HnkT2Q7khJfcqIGhc4M0U2JX+46UTvy2HXtuiDcusP7CLY7sw3G+WB5pWu0A3kpV5Iuou68eQTaMVyPDhaQDVbRTmjmQo49n6Sc63krcyBW0mBtYmzQ== comment
You’ll have to make sure that the user can’t write to the .ssh directory nor upload any files such as .bashrc, .profile, etc, otherwise the user can overwrite those by uploading their own version, and they can still execute anything they like by just logging in with sftp. You can do this by creating these files and then changing their ownership and rights in such a way that the user can’t write to them. Because it’s hard to guess what files you should create so that the user can’t cause any harm, it’s best to simply create a seperate directory in which they can upload stuff, and lock off write access to their entire home directory.
It’s not terribly secure, but better than simply allowing ssh access.