Simple SFTP setup

This SFTP setup is NOT chrooted, nor otherwise restricted against root connections

A minimal initial install was spun up. Then, the packages were installed beyond a minimal base install: rsync man and openssh-clients

[root@host-172-16-1-198 ~]# reset 
[root@host-172-16-1-198 ~]# cat sftp-setup.txt 

    5  yum install rsync man 
    6  yum install openssh-clients 
   11  grep sftp /etc/services     
   12  cd /etc/sysconfig/          
   13  joe iptables                
   14  vi iptables                 
   15  service iptables restart    
   18  passwd                      
   19  sftp localhost              
   20  ssh localhost               
   21  history > sftp-setup.txt    

We explicitly open the sftp port; it is not clear that this is required:

# Firewall configuration written by system-config-firewall 
# Manual customization of this file is not recommended.   
*filter                                                   
:INPUT ACCEPT [0:0]                                       
:FORWARD ACCEPT [0:0]                                     
:OUTPUT ACCEPT [0:0]                                      
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT   
-A INPUT -p icmp -j ACCEPT                                
-A INPUT -i lo -j ACCEPT                                  
-A INPUT -i eth1 -j ACCEPT                                
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport sftp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited             
-A FORWARD -j REJECT --reject-with icmp-host-prohibited           
COMMIT

This is the list of services running:

acpid           0:off   1:off   2:on    3:on    4:on    5:on    6:off 
atd             0:off   1:off   2:off   3:on    4:on    5:on    6:off
auditd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
ip6tables       0:off   1:off   2:on    3:on    4:on    5:on    6:off
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
netfs           0:off   1:off   2:off   3:on    4:on    5:on    6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
restorecond     0:off   1:off   2:on    3:on    4:on    5:on    6:off
rsyslog         0:off   1:off   2:on    3:on    4:on    5:on    6:off
sendmail        0:off   1:off   2:on    3:on    4:on    5:on    6:off
snmpd           0:off   1:off   2:on    3:on    4:on    5:on    6:off
udev-post       0:off   1:on    2:on    3:on    4:on    5:on    6:off

And proof of concept -- note that we did NOT alter /etc/ssh/sshd_config in this example:

[roothost-172-16-1-198 ~]# sftp localhost 
Connecting to localhost...
root@localhost's password:
sftp> ls
sftp-setup.txt
sftp> ls -l
-rw-r--r--    1 root     root         1830 Oct 15 08:31 sftp-setup.txt
sftp> quit
[root@host-172-16-1-198 ~]#

and ssh access:

[root@host-172-16-1-198 ~]# ssh localhost 
root@localhost's password:
Last login: Mon Oct 15 08:30:29 2012 from 10.16.1.106
[root@host-172-16-1-198 ~]# logout
Connection to localhost closed.
[root@host-172-16-1-198 ~]#

Both 'keyed ssh' authentication, and password based authentication will work. From a remote host, when the key is present, we are NOT challenged for the password. Then after an edit to disable the key from being offered remotely, we are then prompted for the password:

[herrold@centos-6 ~]$ # keyed ssh set up 
[herrold@centos-6 ~]$ date
Mon Oct 15 12:57:07 EDT 2012
[herrold@centos-6 ~]$ sftp root@10.16.1.194
Connecting to 10.16.1.194...
sftp> ls
sftp-setup.txt
sftp> quit
[herrold@centos-6 ~]$ # remove the key
[herrold@centos-6 ~]$ sftp root@10.16.1.194
Connecting to 10.16.1.194...
root@10.16.1.194's password:
sftp> ls
sftp-setup.txt
sftp> quit
[herrold@centos-6 ~]$ date
Mon Oct 15 12:57:33 EDT 2012
[herrold@centos-6 ~]$

We do not address hardening issues here such as wrappers or more restrictive iptables rules, as they are out of scope of this article.

HowTos/sftp (last edited 2012-10-15 16:59:59 by RussHerrold)