Electricmonk

Ferry Boender

Programmer, DevOpper, Open Source enthusiast.

Blog

SFTP pointers

Wednesday, August 8th, 2007

Some quick notes on SFTP.

Identity file

ssh and scp have an -i option for specifying which file has the private key with which to authenticate. sftp doesn’t have that switch, but you can specify one with the -o switch:

sftp -o IdentityFile=/home/user/.ssh/some_key_rsa username@hostname

Batch mode

If you want to do stuff in batch mode (from a script or something), you can use the -b option. Normally, this would require that you write a file with the commands you want to run, but with -b -, you can make sftp read the commands from STDIN:

echo "PUT myfile" | sftp -o IdentityFile=/home/user/.ssh/some_key_rsa -b - username@hostname

Most programs understand the - value for commandline arguments, and read the input not from a file but from stdin.

Allow only SFTP and not SSH

If you want to disallow SSH login, but still want to offer SFTP for a user, you can force that by specifying a command they may run in the .ssh/authorized_keys2 file:

$ cat .ssh/authorized_keys2
command="/usr/lib/sftp-server" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQDAvMJNhB2qDj0C0R4CcbIjIW2arkoAL2HsiP5zfzQfv1uMmZvrRSAO1TgW8qzw0sPRoFOOBARS1yP4Nk4LJBvM0m5BXaim4kWMS2PuoeN9W0nzkwg9+c966/ekQrDt154o8Ef3TRl7uVyOhQc//um0tekuUQ25e6GP3BsFv5Jtn7JZlejcm3d3AFgYJL/DIi43ymptT8TlapJgcUgUQ8Ts6utpvA/BDEAF4G8HnkT2Q7khJfcqIGhc4M0U2JX+46UTvy2HXtuiDcusP7CLY7sw3G+WB5pWu0A3kpV5Iuou68eQTaMVyPDhaQDVbRTmjmQo49n6Sc63krcyBW0mBtYmzQ== comment

You’ll have to make sure that the user can’t write to the .ssh directory nor upload any files such as .bashrc, .profile, etc, otherwise the user can overwrite those by uploading their own version, and they can still execute anything they like by just logging in with sftp. You can do this by creating these files and then changing their ownership and rights in such a way that the user can’t write to them. Because it’s hard to guess what files you should create so that the user can’t cause any harm, it’s best to simply create a seperate directory in which they can upload stuff, and lock off write access to their entire home directory.

It’s not terribly secure, but better than simply allowing ssh access.

The text of all posts on this blog, unless specificly mentioned otherwise, are licensed under this license.