Skill - SFTP server in Windows with multiple users and read-only option
Skills Required
- Setup SFTP server and SFTP client in Windows using OpenSSH server and WinSCP
- Setup Logging for SFTP server in windows
Go through the above skills if necessary for reference or revision
- In this post we will try to setup windows OpenSSH based SFTP server with multiple users and read-only option
- User logins can be controlled using the
sshd_configfile located in theC:\ProgramData\sshfolder - The read-only access can be controlled at the Operating System level
Setup SFTP for multiple users
Step 1: Create the user account (if not present)
- New user can be created in windows by searching for “Add, edit, or remove other users” in system settings or windows search
Step 2: Modify sshd_config file for providing access to the user
- Create a section in
sshd_configfile located in the folderC:\ProgramData\sshas shown below
Match User james
ChrootDirectory "~/Downloads"
X11Forwarding no
AllowTcpForwarding no
PermitTTY no
ForceCommand internal-sftp
PasswordAuthentication no
PubkeyAuthentication yes
- In the above example, a section is created in the
sshd_configfile for the userjames PasswordAuthenticationandPubkeyAuthenticationcan be set as per requirementChrootDirectoryin this example is~/Downloads, which means the full path would beC:\Users\James\Downloads. In this way~can be used to express the SFTP root folder path relative to the user directory. However absolute path can also be set likeChrootDirectory "C:\Users\John\Documents\test", provided the windows userjameshas at-least read access access to the folderC:\Users\John\Documents\test
Step 3: Setup authorized_keys file in .ssh folder of the user (for private key authentication)
- If a user is to be authenticated using private key based authentication, the corresponding public key should be kept in a new line of the
authorized_keysfile inside theC:\Users\<username>\.sshfolder. - The access control list (ACL) of
authorized_keysfile should be configured such that onlyAdministratorsandSystemusers should have the access to this file - To achieve this, open a command prompt as administrator and run the following command
icacls.exe "C:\Users\James\.ssh\authorized_keys" /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F"
- You can verify the access control list of the
authorized_keysfile by right click on file->properties->security tab as shown in the below image
- Not ensuring the permissions of the
authorized_keysfile will fail the login attempts, hence it is important. Login failures due to wrong file permissions ofauthorized_keysfile will be logged in the SFTP server logs. Check out this blog post to know how to see SFTP server logs.
Setup Read-only access of SFTP server to the user
- For this example, let us setup Read-only SFTP folder for a windows user
james - Take a folder which is outside
C:\Users\james, for exampleC:\Users\otheruser\Documents\reports - Share the folder with only read-access to the user
james
- In
sshd_configfile, set theChrootDirectoryto the above folder. For example,
ChrootDirectory "C:\Users\otheruser\Documents\reports"
- Now when the user logs in, the folder contents can be accessed but not modified by the logged in user
### Video The video for this post can be found [here](https://youtu.be/G0AE4MmRSJI)
References
- OpenSSH SFTP server installation guide - https://winscp.net/eng/docs/guide_windows_openssh_server
- OpenSSH SFTP server official installation guide - https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
- OpenSSH logging official documentation - https://github.com/PowerShell/Win32-OpenSSH/wiki/Logging-Facilities
Can you share your working sshd_config? I was not able to make it works
ReplyDelete