Secure FTP transfers

Getting images, files and folders onto and off a Slice can cause difficulties with concerns about security.

This article takes a look at SFTP - part of the SSH package - as a way of securely transferring files to your Slice.


Installation

SFTP (SSH File Transfer Protocol) is part of the SSH package.

In other words, there is nothing to install as it is ready to use.

Configuration

There is also nothing to configure.

Once you have setup your user(s) and configured SSH for your needs, SFTP uses the same usernames and ports.

Please see the Slice setup articles for more details of the initial Slice configuration - Ubuntu Hardy - Slice setup #1

Security

As mentioned, SFTP uses the SSH protocol to connect to your Slice.

As such, the connection and all data is encrypted to prevent any eavesdropping of passwords or sensitive data.

SFTP Client

We can start by looking at an SFTP client.

The 'client' is a programme on your local workstation. I won't go into listing all the available SFTP clients but suffice to say that the vast majority of modern FTP clients also support SFTP (keep in mind SFTP does not use the 'typical' FTP protocols and so some older FTP clients may not support SFTP).

You can search for SFTP clients for Windows, OS X, Linux or other Operating Systems.

Due to the vast array of clients available I can't go into how to use each one (they should have plenty of documentation with the software).

However, the preferences/options panel will allow you to enter the SFTP details.

Take a look at this example:

SFTP Setup Panel

If you have followed the setup articles (see the link above) you will notice the details are the same as those we used to setup SSH.

We have the Slice IP, the user named 'demo', we are using port 30000 (the same port we set in the sshd_config file).

The protocol has been specified as SFTP - this particular client has several options available.

Lastly, you should be able to set the path for the UI. In this case, I want to open the client in my home partition.

Once I have submitted the information, I am connected to the Slice:

Root File System

Note: In this case I have accessed the Slice at the root folder level. As such, you can browse the folders as shown above.

Most clients will allow you to 'double click' on a file and edit it in a local browser.

Permissions

Which brings us nicely to permissions.

Do remember that you are using the same details as the SSH user - as such they won't be able to automatically edit files owned by root.

All that would happen is a nice 'permission denied' error if you tried to open or save any changes to a root owned file.

So what to do about the permissions?

Well, to be honest, there isn't a lot you can do about it. The permissions are there for a good reason and are an integral part of Linux and how it is designed.

Neither do I recommend logging in as root - part of the initial SSH setup entailed disabling root logins.

However, beyond the initial Slice setup, there should be little reason to mess around with files owned by root and any changes in configurations would be done from the command line using the 'sudo' command.

The main reason for using SFTP clients is to ease the transfer of files - most of which will be to your public_html folder which you will have permission to write.

Summary

Secure FTP connections are very easy when using SFTP - it is already installed as part of SSH and all you need is a client that supports the SFTP protocol.

Transferring files and folders to your home directory has never been easier or more secure.

PickledOnion

Article Comments:

Brian Pence commented Wed May 28 15:45:20 UTC 2008:

Try AbsoluteTelnet. It's a great SSH client and I just add SFTP in the latest version. It has a nice GUI interface. Check my sig for the location.

Brian Pence Celestial Software http://www.celestialsoftware.net AbsoluteTelnet (for telnet and ssh)

nek4life commented Thu May 29 00:33:51 UTC 2008:

How would one go about setting sftp up for up for more than one user account? Say I have multiple users for multiple domains and I want to lock them in their websites directory.

Van Glass commented Thu May 29 21:00:07 UTC 2008:

For a free no-install, platform independent FTP/S, SFTP client you might want to look at AnyClient

loudestnoise commented Thu Jun 05 18:22:01 UTC 2008:

@nek4life You would need to create a new user and the way I have it set up, I put the public web root of each user's domain they need access to inside their user account, which then allows you to to effectively lock them to their domain as they don't have permissions to write to anything outside of their user account since they are not a sudoer unless you make them one.

Mike Fernandez commented Fri Jun 27 06:04:16 UTC 2008:

I am just wondering "Permission denied" always pops out my SFTP client, Transmit. Can you help me? Anyone? Thanks!

Mike Fernandez commented Fri Jun 27 06:11:47 UTC 2008:

Sorry guys, my bad. My SFTP now works. I used the wrong user that's why. Thanks!

Pedro Marban commented Sun Nov 16 11:52:05 UTC 2008:

I need to receive frequent files from untrusted sources. Do you recommend to install a FTP server like vsftpd or is that considered insecure and have'I to stand with SFTP?

Bob Walsh commented Mon Jan 12 03:55:41 UTC 2009:

I'm getting the "Permission denied" always pops out my SFTP client, Transmit. error.

what's the right way of moving files from localhost to my server? The OP mentioned basically SFTP'in into public_html. What's the path to that folder? (Yes, I am a Linux newbie. Please don't hate me.)

James Zimmerman commented Wed Feb 25 20:25:00 UTC 2009:

I prefer to create a separate folder for each domain a user account will be hosting, each with it's own publichtml sub-folder (and appropriate vhost settings) for viewable content. Some frameworks are better secured by having their configuration and libraries one level above public access and if you leave this as the user's publichtml you can't keep the individual configurations intact easily, having one user account to manage all their domains it is a lot simpler to maintain and easier to administer. Just my two cents. For users I trust on my ubuntu system I will provide them a vhost.conf file in their home directory and symlink this to /etc/apache2/sites-available/(username).conf then I'll review and reload the configuration if I don't see anything out of the ordinary.

Tom Clancy commented Tue Mar 10 13:27:39 UTC 2009:

@Bob: the path should be /var/www

Radovan commented Sat Mar 21 17:27:33 UTC 2009:

I like WinSCP portable (for Windows).

http://winscp.net/eng/download.php

Morten Blaabjerg commented Wed Jul 22 11:30:46 UTC 2009:

I'm surprised the article didn't mention how to match public/private RSA keys for authentication with SFTP. Is this just taken for granted knowledge or won't most users need to do this? I found that some FTP clients will say they enable SFTP but then don't enable you to match public/private keys. Others, like FileZilla requires the keyfile to not be password-protected.

I personally found WinSCP to be a painfully slow SFTP client - while FileZilla is both pretty snappy and runs very solidly.

Matt commented Thu Dec 17 21:09:37 UTC 2009:

Having problems connecting. Mine says the password/username is wrong when i know it's correct. Any Ideas?

Kevin E. commented Sat Feb 13 01:54:04 UTC 2010:

Matt, I know it's a little late, but in my ftp/sftp client (Filezilla), I had to switch the login mode to "interactive" instead of "normal" to get my user/pass to work. I was then able to accept the rsh key and provide my password.

Tom B commented Thu Apr 29 16:08:18 UTC 2010:

Thanks Kevin.

Brian commented Fri May 21 22:54:15 UTC 2010:

If you are using a program that doesn't support SFTP but only FTP and you still want to securely transfer files over, look into setting up an FTP server on your slice that only listens on the localhost (doesn't allow remote connections) and then use SSH Port Forwarding to get into your box remotely. Your local ftp client will think its connecting to a local ftp server on your client machine, but in fact the connection is being securely forwarded to inside your slice.

Serg commented Wed May 15 22:34:34 UTC 2013:

What of FTP transfer remotely, any Idea how to add it?

Serg commented Wed May 15 22:34:53 UTC 2013:

What of FTP transfer remotely, any Idea how to add it?

Serg commented Wed May 15 22:34:54 UTC 2013:

What of FTP transfer remotely, any Idea how to add it?

Serg commented Wed May 15 22:37:53 UTC 2013:

What of FTP transfer remotely, any Idea how to add it?

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)