Software Projects

Setting Up an sftp Site on Amazon Web Services EC2, and a Guest Account

Posted in Uncategorized by rmt on July 3, 2011

(Adapted from http://cloud.ubuntu.com/ami/http://www.cybersprocket.com/2009/tips-tricks/sftp-tips-tricks/ and http://blog.markvdb.be/2009/01/sftp-on-ubuntu-and-debian-in-9-easy.html)

This consists of three parts:

  • setting up an sftp site on EC2
  • creating a new user account
  • configuring the new user account to do read-only ftp, with no ssh privileges

This is intended for transferring files to and from trusted users. I use this as an adequate solution for occasionally sending very large files to clients, using an EC2 instance dedicated to that task. After the transfer is complete, I shut down or delete the instance.

Set up a server using Amazon Web Services EC2, choosing an Ubuntu Amazon Machine Image (AMI). (You can find an AMI using http://cloud.ubuntu.com/ami/. You may want to choose one that’s free tier eligible, such as ami-1aad5273)

ssh into the server:

ssh -i keyfile.pem ubuntu@ec2-hostname.amazonaws.com

Install vsftpd:

sudo apt-get install vsftpd

Create a new user:

sudo adduser newusername

Using the AWS Management Console, generate a new key pair for the third-party user.

Using puttygen, import the new key (keyname.pem) and copy its public key.

On the server, create the .ssh directory for the new user:

sudo mkdir /home/newusername/.ssh

Paste the public key into /home/newusername/.ssh/authorized_keys.

Set permissions:

sudo chmod 700 /home/newusername/.ssh

sudo chmod 600 /home/newusername/.ssh/authorized_keys

sudo chown -R newusername:newusername /home/newusername/.ssh

Test the new user’s sftp login from your local machine:

sftp -o IdentityFile=newkeypair1.pem newusername@ec2-hostname.amazonaws.com

Make a new group for users who should be limited to using only sftp:

sudo groupadd sftponly

sudo adduser newusername sftponly

Edit /etc/ssh/sshd_config and change the Subsystem line to:

Subsystem sftp internal-sftp

and add these lines to the end of /etc/ssh/sshd_config:

Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Set permissions, without clobbering files necessary for EC2’s key-based authentication:

sudo chown root:root /home/newusername

sudo chown -R newusername:newusername /home/newusername/.ssh

sudo /etc/init.d/ssh restart

Now the new user can connect by sftp, but not by ssh. Place the files you want to share in /home/newusername, and share the key with the user.

About these ads

15 Responses

Subscribe to comments with RSS.

  1. fschwiet said, on July 4, 2012 at 4:24 PM

    I don’t have much experience with this, how do I “Paste the public key into /home/newusername/.ssh/authorized_keys”? When I try to save the contents of the key with VM, I get permission denied (presumably since I haven’t logged in as the new user).

    • rmt said, on July 4, 2012 at 10:06 PM

      Append your public key to the existing authorized_keys file using a text editor. Each line in the file is an independent entry.

    • vikas said, on November 7, 2012 at 2:40 AM

      you need to have a root user permission , so try login through root user and you would be able to create that

  2. GB said, on July 22, 2012 at 7:46 PM

    This is a slightly wider question: I may need to set up a file upload mechanism for my Amazon based application. The files might be quite large – 50MB or even 100MB (but there will be not too many of them). I am considering using SFTP for it, is this a valid idea? The people who will be using it are regular folks, and to ask them to download keys etc is unthinkable. Can I put a kind of web interface which has SFTP built-in?

    • rmt said, on July 24, 2012 at 9:56 AM

      SFTP is entirely reasonable for that size of files. I don’t have an answer for what’s an easier interface, but I imagine there’s a solution out there. You might try asking on serverfault.com.

  3. Eric S said, on August 14, 2012 at 11:02 AM

    Minor typo: your line

    sudo chown root:root /home/newuser
    was meant to be
    sudo chown root:root /home/newusername

    (comes up when doing find / replace on your lines)

    Also, I notice after doing all this, that the new user winds up being able to see .profile, .bashrc, .ssh and authorized_keys. The user owns and has access to change them. Is this much of a security risk? (It is at least slightly untidy…)

    • rmt said, on August 14, 2012 at 3:56 PM

      Thanks for pointing these things out. I’ve corrected the typo, and I added a note that this is intended for trusted users only. You’re right that it’s not a good solution for SFTP with untrusted users.

  4. Derek Gardiner said, on January 5, 2013 at 1:52 PM

    How do we get the public key in the first place if the system we’re calling from is Linux. Once I download the .pem file and less it I only see a private key there – I don’t know where to create/find the public key and therefore cannot copy it to authorized_keys directory.

    • rmt said, on January 5, 2013 at 2:54 PM

      On Linux, you can generate the public and private keys with the following command on your own local system:

      ssh-keygen -b 1024 -f newusername -t dsa

      See the “Key Generation and Distribution” section here: http://aws.amazon.com/articles/1233

      Then you need to import the public key into EC2 using ec2-import-keypair:

      ec2-import-keypair newusername-key --public-key-file keyfile.pub

      (On Windows, you can use Puttygen to import the *.pem key file and generate the corresponding public key for pasting into the authorized_keys file.)

  5. Jim E said, on March 19, 2013 at 9:42 AM

    Why are you installing vsftp when it isn’t needed for sftp?

  6. Jerry said, on March 16, 2014 at 6:14 AM

    For CentOS 6 (and maybe other OS’) you need to do the following:
    chmod 755 /home/newusername

  7. raj said, on April 18, 2014 at 9:41 PM

    Is it possible to access the sftp without key and just with password?

  8. brettcaveBrett said, on July 17, 2014 at 11:31 PM

    what Jim said – vsftpd is completely redundant. sftp is Secure FTP, which is implemented by sshd. If you wanted something like FTPs (FTP over SSL) then you’d need to look at an FTP daemon that supports it.

    • rmt said, on July 18, 2014 at 5:44 AM

      Thanks for the feedback. I’ll make the correction and test again when I have a chance.

  9. jayeshsidhwaniJayesh said, on September 17, 2014 at 7:04 AM

    Nice article.

    I had one problem. I wasn’t able to restart my ssh server using ‘sudo /etc/init.d/ssh restart’ because of which the changes weren’t being reflected.
    I then restarted my ssh server using ‘sudo service restart ssh’


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.