Copy SSH Keys to Server with SFTP

These steps assume you already have a public SSH key, if not, create one

SSH-Copy-Id is an easier way to upload ssh keys, however, it does not work on all devices.

ssh to the remote server using your password.

If it is not already created, create the authorized_keys file under the .ssh folder

touch ~/.ssh/authorized_keys

chmod 600 ~/.ssh/authorized_keys

vi ~/.ssh/authorized_keys

Add your public key to the end of the authorized_keys file

Ensure that the correct owner and permissions are on the files.

The .ssh directory should be

chmod 700 .ssh

And the authorized_keys file should be 600

chmod 600 ~/.ssh/authorized_keys

Both should be owned by the user. Change username to your username.

sudo chown -R username:username .ssh/authorized_keys

Helpful links

https://blog.tinned-software.net/setup-sftp-only-account-using-openssh-and-ssh-key/

https://blog.tinned-software.net/ssh-passwordless-login-with-ssh-key/

Running tcpdump on Ubiquiti Airmax Equipment

Ubiquiti Airmax gear has tcpdump included. We can easily use it to capture packets to a file and then use SCP from the device to copy the file for analysis.

SSH to the device

ssh ubnt@192.168.1.20
cd /tmp/

Start tcpdump with the following command. Change ath0 and file.cap to the appropriate interface and file name.

tcpdump -i ath0 -w file.cap

After we are done collecting, we can quit with ctrl + c

Now we can use scp or sftp to copy the files off. There is an issue using scp or sftp from a normal Linux machine to the radio, fails with a “sh: /usr/libexec/sftp-server: not found”. It works fine if you initiate scp from the radio.

scp /tmp/file.cap username@remoteip:~/

SFTP Server – Configure Folder to be used by two users

Bob is the companies local Linux administrator. He has been tasked with creating a secure shared SFTP folder so members in the R&D department can securely collaborate on “The New Project”.

Bob immediately recognizes a potential difficulty. If Steve and John are working on a prototype, how will John be able to edit Steve’s file if the user permissions are set to only allow John to read?

Bob first goes to the break room to locate a coffee mug.

After consulting Google and the man pages for sftp, sftp-server, sshd_config, sshd he found out what he needed to do.

  1. Create directory for the share
  2. Create a user group
  3. Create the individual users and add them to the user group
  4. Modify the sshd_config
  5. Restart the SSHD service and verify that it works

Create Directory for SFTP Share Directory

First Bob needed a directory to hold the R&D files.

mkdir /sftp/rdshare
mkdir /sftp/rdshare/files/
chown 755 /sftp/rdfiles

For some reason, he ran into issues with the folder getting set to the 775 permission which caused issues with logging in. Manually changing it to 755 fixed that issue.

Create User Group

Now Bob needs a user group to add everyone to.

sudo groupadd rdsftp

Now on to creating the users. Since we are just using the accounts for SFTP, we are setting the nologin option. None of these users will be able to use ssh to log on to the server.

sudo useradd -g rdsftp -s /sbin/nologin -M sftpadmin
passwd sftpadmin

Repeat for John, Steve, Jill, etc…

Use the sftpadmin user as an “admin” user and change the “home” directory permissions

chown -R adminuser:rdsftp /sftp/rdfiles

Modify sshd_config file

There are a couple things that need to be changed in the sshd_config file to make this all work.

sudo vi /etc/sshd_config

At the bottom of the file, Bob adds

# R&D SFTP share settings
Match Group rdsftp
        ChrootDirectory /sftp/rdshare/          # <- chroots the users into this directory
        ForceCommand internal-sftp -u 0002      # <- -u for umask.  Needed so users have write permissions for all files

This will chroot all the users into the /sftp/rdshare directory which makes /sftp/rdshare the users / directory.

The -u umask option is the secret for getting all the users to manage all the files. Without it, John would not be able to update Steve’s inventory file.

Restart services and test

Now we can restart the ssh server

sudo systemctl resart sshd

And verify that john can log in.

sftp john@localhost

Any existing sessions will need to be terminated for the changes to take effect.

Further reading.

https://askubuntu.com/questions/982123/multiple-owner-of-same-folder
https://www.tothenew.com/blog/how-to-set-up-shared-folderrepository-between-two-or-more-users-on-linux/
https://medium.com/linuxstories/linux-how-to-setup-an-sftp-server-37e6fb91649b
https://linuxandevops.wordpress.com/2017/07/30/ssh-scp-sftp-connections-and-file-permissions-part-2/

Setup Secure FTP server on CentOS

Setup SFTP Server

When finished you’ll have a SFTP server setup that is configured so the users are in a chroot environment, and can not ssh, or telnet to the server.

Install SSH server if it is not already

yum install openssh-server openssh-client

Create group that is limited to sftp so they can’t ssh, scp etc.

groupadd sftpusers

Add chroot settings to /etc/ssh/sshd_config.  The %u is a variable, which is the users username.

Match Group sftpusers
ChrootDirectory /sftp/%u
ForceCommand internal-sftp

Make ftp directory

mkdir /sftp

Add SFTP user

useradd -g sftpusers -d /sftp -s /sbin/nologin newsftpuser

Create password for new user

passwd newsftpuser

Create directory for user

mkdir /sftp/newsftpuser

Create directory to put ftp files

mkdir /sftp/newsftpuser/files

Change permissions

chown newsftpuser:sftpusers /sftp/newsftpuser/files/

Restart sshd

systemctl restart sshd

Should be good to go.  Test it by logging in with your favorite FTP client.