Simple SFTP setup
This SFTP setup is NOT chrooted, nor otherwise restricted against root connections
A minimal initial install was spun up. Then, the packages were installed beyond a minimal base install: rsync man and openssh-clients
{{{[root@host-172-16-1-198 ~]# reset [root@host-172-16-1-198 ~]# cat sftp-setup.txt
- 5 yum install rsync man 6 yum install openssh-clients
- 11 grep sftp /etc/services 12 cd /etc/sysconfig/ 13 joe iptables 14 vi iptables 15 service iptables restart 18 passwd 19 sftp localhost 20 ssh localhost
21 history > sftp-setup.txt
}}}
We explicitly open the sftp port; it is not clear that this is required:
{{{# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth1 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport sftp -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT }}}
This is the list of services running:
{{{acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off restorecond 0:off 1:off 2:on 3:on 4:on 5:on 6:off rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off snmpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off }}}
And proof of concept -- note that we did NOT alter /etc/ssh/sshd_config in this example:
{{{[roothost-172-16-1-198 ~]# sftp localhost Connecting to localhost... root@localhost's password: sftp> ls sftp-setup.txt sftp> ls -l -rw-r--r-- 1 root root 1830 Oct 15 08:31 sftp-setup.txt sftp> quit [root@host-172-16-1-198 ~]# }}}
and ssh access:
{{{[root@host-172-16-1-198 ~]# ssh localhost root@localhost's password: Last login: Mon Oct 15 08:30:29 2012 from 10.16.1.106 [root@host-172-16-1-198 ~]# logout Connection to localhost closed. [root@host-172-16-1-198 ~]# }}}
Both 'keyed ssh' authentication, and password based authentication will work. From a remote host, when the key is present, we are NOT challenged for the password. Then after an edit to disable the key from being offered remotely, we are then prompted for the password:
{{{[herrold@centos-6 ~]$ # keyed ssh set up [herrold@centos-6 ~]$ date Mon Oct 15 12:57:07 EDT 2012 [herrold@centos-6 ~]$ sftp root@10.16.1.194 Connecting to 10.16.1.194... sftp> ls sftp-setup.txt sftp> quit [herrold@centos-6 ~]$ # remove the key [herrold@centos-6 ~]$ sftp root@10.16.1.194 Connecting to 10.16.1.194... root@10.16.1.194's password: sftp> ls sftp-setup.txt sftp> quit [herrold@centos-6 ~]$ date Mon Oct 15 12:57:33 EDT 2012 [herrold@centos-6 ~]$ }}}
We do not address hardening issues here such as wrappers or more restrictive iptables rules, as they are out of scope of this article.