Setting Up an sftp Site on Amazon Web Services EC2, and a Guest Account
(Adapted from http://cloud.ubuntu.com/ami/, http://www.cybersprocket.com/2009/tips-tricks/sftp-tips-tricks/ and http://blog.markvdb.be/2009/01/sftp-on-ubuntu-and-debian-in-9-easy.html)
This consists of three parts:
- setting up an sftp site on EC2
- creating a new user account
- configuring the new user account to do read-only ftp, with no ssh privileges
This is intended for transferring files to and from trusted users. I use this as an adequate solution for occasionally sending very large files to clients, using an EC2 instance dedicated to that task. After the transfer is complete, I shut down or delete the instance.
Set up a server using Amazon Web Services EC2, choosing an Ubuntu Amazon Machine Image (AMI). (You can find an AMI using http://cloud.ubuntu.com/ami/. You may want to choose one that’s free tier eligible, such as ami-1aad5273)
ssh into the server:
ssh -i keyfile.pem ubuntu@ec2-hostname.amazonaws.com
Install vsftpd:
sudo apt-get install vsftpd
Create a new user:
sudo adduser newusername
Using the AWS Management Console, generate a new key pair for the third-party user.
Using puttygen, import the new key (keyname.pem) and copy its public key.
On the server, create the .ssh directory for the new user:
sudo mkdir /home/newusername/.ssh
Paste the public key into /home/newusername/.ssh/authorized_keys.
Set permissions:
sudo chmod 700 /home/newusername/.ssh
sudo chmod 600 /home/newusername/.ssh/authorized_keys
sudo chown -R newusername:newusername /home/newusername/.ssh
Test the new user’s sftp login from your local machine:
sftp -o IdentityFile=newkeypair1.pem newusername@ec2-hostname.amazonaws.com
Make a new group for users who should be limited to using only sftp:
sudo groupadd sftponly
sudo adduser newusername sftponly
Edit /etc/ssh/sshd_config and change the Subsystem line to:
Subsystem sftp internal-sftp
and add these lines to the end of /etc/ssh/sshd_config:
Match group sftponly ChrootDirectory /home/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp
Set permissions, without clobbering files necessary for EC2′s key-based authentication:
sudo chown root:root /home/newusername
sudo chown -R newusername:newusername /home/newusername/.ssh
sudo /etc/init.d/ssh restart
Now the new user can connect by sftp, but not by ssh. Place the files you want to share in /home/newusername, and share the key with the user.
I don’t have much experience with this, how do I “Paste the public key into /home/newusername/.ssh/authorized_keys”? When I try to save the contents of the key with VM, I get permission denied (presumably since I haven’t logged in as the new user).
Append your public key to the existing authorized_keys file using a text editor. Each line in the file is an independent entry.
you need to have a root user permission , so try login through root user and you would be able to create that
This is a slightly wider question: I may need to set up a file upload mechanism for my Amazon based application. The files might be quite large – 50MB or even 100MB (but there will be not too many of them). I am considering using SFTP for it, is this a valid idea? The people who will be using it are regular folks, and to ask them to download keys etc is unthinkable. Can I put a kind of web interface which has SFTP built-in?
SFTP is entirely reasonable for that size of files. I don’t have an answer for what’s an easier interface, but I imagine there’s a solution out there. You might try asking on serverfault.com.
Minor typo: your line
sudo chown root:root /home/newuser
was meant to be
sudo chown root:root /home/newusername
(comes up when doing find / replace on your lines)
Also, I notice after doing all this, that the new user winds up being able to see .profile, .bashrc, .ssh and authorized_keys. The user owns and has access to change them. Is this much of a security risk? (It is at least slightly untidy…)
Thanks for pointing these things out. I’ve corrected the typo, and I added a note that this is intended for trusted users only. You’re right that it’s not a good solution for SFTP with untrusted users.
How do we get the public key in the first place if the system we’re calling from is Linux. Once I download the .pem file and less it I only see a private key there – I don’t know where to create/find the public key and therefore cannot copy it to authorized_keys directory.
On Linux, you can generate the public and private keys with the following command on your own local system:
ssh-keygen -b 1024 -f newusername -t dsaSee the “Key Generation and Distribution” section here: http://aws.amazon.com/articles/1233
Then you need to import the public key into EC2 using ec2-import-keypair:
ec2-import-keypair newusername-key --public-key-file keyfile.pub(On Windows, you can use Puttygen to import the *.pem key file and generate the corresponding public key for pasting into the authorized_keys file.)
Why are you installing vsftp when it isn’t needed for sftp?