How to setup the openSSH SFTP server on Linux?

For open source, I recommend CentOS. If you are looking for commercial I recommend RedHat.

Ok, so let's say, the sftp server will be in the DMZ.

What will be the approach so my AD windows users dump files into \\ftp_ip_address\ftp_customer_folder so customer in the outside connects via sftp and get the dumped files ?

Thanks

You can setup samba share on the chroot home directories and script to traverse files between the shares.

...or you can simply mount the samba share on a windows box.

The above example is a more secure but require more man hours to get it to work.

I want it secure :)
What does "script to traverse files" mean ?

To put this into context, I have clients with the following setup.

1. SFTP linux box in dmz.
2. IIS FTPS internal windows 2003 box.

In the windows box, they sweep the sftp directories with scheduled jobs or MoveIt.

hmm, did you set cygwin ftps on the windows 2003 box ?

i mean sftp...

yes.. i want to lock their users into their home directories. So, let's break this project:
1. Install centos, install ssh and openssh, and maybe vsftp right ?
1.1 if possible set the /home into another partition right ?
2. Install Samba ?

What TimeZone are you in ?

Thanks for ur help

You do not need vsftp for sftp.  SFTP is a subsystem of SSH and is installed by default.

Install CentOS and follow this tutorial, you will have exactly what you're asking for.

http://www.putorius.net/2011/04/how-to-chroot-users-in-sftp-server.html

ok sir, i am willing to work on this project 100% next week. I will keep you posted.

Hmm, i did everything that the doc/link says but when i try to connect with FileZilla i have errors like Connection closed by server with exitcode 1 Could not connect to server :(

Command:	open "ftp_dsduh_u@172.16.5.42" 22
Command:	Trust new Hostkey: Once
Command:	Pass: ************
Status:	Connected to 172.16.5.42
Error:	Connection closed by server with exitcode 1
Error:	Could not connect to server
Status:	Waiting to retry...

Select allOpen in new window

Have you check firewall status?

Port 22 is open

Check selinux.  It doesn't like when you try to access home dirs.

As a test put it in permissive mode with the following command (run as root):

setenforce 0

Then try to connect again.

I have done that also.

Can you check the logs on the system and post any relevant information?

For troubleshooting state, it is rather to turn off iptables completely.

Please post error messages in /var/log/secure as well.

Here is the info from /var/log/secure

Apr  1 11:23:05 localhost sshd[22565]: Accepted password for ftp_dsduh_u from 172.16.5.15 port 52206 ssh2
Apr  1 11:23:05 localhost sshd[22565]: pam_unix(sshd:session): session opened for user ftp_dsduh_u by (uid=0)
Apr  1 11:23:05 localhost sshd[22570]: subsystem request for sftp
Apr  1 11:23:05 localhost sshd[22565]: pam_unix(sshd:session): session closed for user ftp_dsduh_u
Apr  1 11:23:16 localhost sshd[22572]: Accepted password for ftp_dsduh_u from 172.16.5.15 port 52207 ssh2
Apr  1 11:23:16 localhost sshd[22572]: pam_unix(sshd:session): session opened for user ftp_dsduh_u by (uid=0)
Apr  1 11:23:16 localhost sshd[22576]: subsystem request for sftp
Apr  1 11:23:16 localhost sshd[22572]: pam_unix(sshd:session): session closed for user ftp_dsduh_u

Select allOpen in new window

Can you post your sshd_config, or at least the Subsystem sftp line?

It looks like ssh port was commented on sshd_config and listening address to 0.0.0.0. I did change it but see errors on secure log, see below. By the ways, I have not stopped ip_tables yet.
sshd_config

#	$OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

Port 22
#AddressFamily any
ListenAddress 172.16.5.15
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	/usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	ForceCommand cvs server

Select allOpen in new window

less /var/log/secure

Apr  1 20:46:30 localhost sshd[27621]: Accepted password for ftp_dsduh_u from 172.16.5.15 port 52476 ssh2
Apr  1 20:46:30 localhost sshd[27621]: pam_unix(sshd:session): session opened for user ftp_dsduh_u by (uid=0)
Apr  1 20:46:30 localhost sshd[27625]: subsystem request for sftp
Apr  1 20:46:30 localhost sshd[27621]: pam_unix(sshd:session): session closed for user ftp_dsduh_u
Apr  1 20:46:42 localhost sshd[27627]: Accepted password for ftp_dsduh_u from 172.16.5.15 port 52477 ssh2
Apr  1 20:46:42 localhost sshd[27627]: pam_unix(sshd:session): session opened for user ftp_dsduh_u by (uid=0)
Apr  1 20:46:42 localhost sshd[27633]: subsystem request for sftp
Apr  1 20:46:42 localhost sshd[27627]: pam_unix(sshd:session): session closed for user ftp_dsduh_u
Apr  1 20:49:27 localhost sshd[27610]: Received signal 15; terminating.
Apr  1 20:49:27 localhost sshd[27687]: error: Bind to port 22 on 172.16.5.15 failed: Cannot assign requested address.
Apr  1 20:49:27 localhost sshd[27687]: fatal: Cannot bind any address.

Select allOpen in new window

It looks like you did not follow the directions on the original link I sent you... You never changed the sshd_config file.


Go back to the tutorial, and follow it step by step.

http://www.putorius.net/2011/04/how-to-chroot-users-in-sftp-server.html

You have to make sure you edit the sshd_config like it says (which your example is not edited) and follow each step.

hmm what ? I did....

Ohhh this part.....

Subsystem sftp internal-sftp
Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

Select allOpen in new window

@Savone: THANK YOU VERY MUCH, sorry for wasting your time. It worked.

No problem... glad I can help.

@savone, one last thing.
How do i hide the folders when I ftp into it ? See attachment.
User does not have rights into those files but the FILES Folder.
Ideally, will be nice log in straight into the FILES folder.
Capture.PNG

I do not know of anyway to hide those files by default.  If the user does not log in via ssh or at the console you can probably just delete those files.

The other option is to change the users home directory to /home/user/FILES/

I did change the home folder, should i restart any service so it goes in effect ?

I posted a question about this, maybe we can go there...

https://www.experts-exchange.com/questions/28084260/How-to-hide-folders-when-ftp-user-ftp-into-it.html?anchorAnswerId=39042349#a39042349