Software Projects

Setting Up an sftp Site on Amazon Web Services EC2, and a Guest Account

Posted in Uncategorized by rmt on July 3, 2011

(Adapted from http://cloud.ubuntu.com/ami/http://www.cybersprocket.com/2009/tips-tricks/sftp-tips-tricks/ and http://blog.markvdb.be/2009/01/sftp-on-ubuntu-and-debian-in-9-easy.html)

This consists of three parts:

  • setting up an sftp site on EC2
  • creating a new user account
  • configuring the new user account to do read-only ftp, with no ssh privileges

This is intended for transferring files to and from trusted users. I use this as an adequate solution for occasionally sending very large files to clients, using an EC2 instance dedicated to that task. After the transfer is complete, I shut down or delete the instance.

Set up a server using Amazon Web Services EC2, choosing an Ubuntu Amazon Machine Image (AMI). (You can find an AMI using http://cloud.ubuntu.com/ami/. You may want to choose one that’s free tier eligible, such as ami-1aad5273)

ssh into the server:

ssh -i keyfile.pem ubuntu@ec2-hostname.amazonaws.com

Install vsftpd:

sudo apt-get install vsftpd

Create a new user:

sudo adduser newusername

Using the AWS Management Console, generate a new key pair for the third-party user.

Using puttygen, import the new key (keyname.pem) and copy its public key.

On the server, create the .ssh directory for the new user:

sudo mkdir /home/newusername/.ssh

Paste the public key into /home/newusername/.ssh/authorized_keys.

Set permissions:

sudo chmod 700 /home/newusername/.ssh

sudo chmod 600 /home/newusername/.ssh/authorized_keys

sudo chown -R newusername:newusername /home/newusername/.ssh

Test the new user’s sftp login from your local machine:

sftp -o IdentityFile=newkeypair1.pem newusername@ec2-hostname.amazonaws.com

Make a new group for users who should be limited to using only sftp:

sudo groupadd sftponly

sudo adduser newusername sftponly

Edit /etc/ssh/sshd_config and change the Subsystem line to:

Subsystem sftp internal-sftp

and add these lines to the end of /etc/ssh/sshd_config:

Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Set permissions, without clobbering files necessary for EC2′s key-based authentication:

sudo chown root:root /home/newusername

sudo chown -R newusername:newusername /home/newusername/.ssh

sudo /etc/init.d/ssh restart

Now the new user can connect by sftp, but not by ssh. Place the files you want to share in /home/newusername, and share the key with the user.

About these ads

12 Responses

Subscribe to comments with RSS.

  1. fschwiet said, on July 4, 2012 at 4:24 PM

    I don’t have much experience with this, how do I “Paste the public key into /home/newusername/.ssh/authorized_keys”? When I try to save the contents of the key with VM, I get permission denied (presumably since I haven’t logged in as the new user).

    • rmt said, on July 4, 2012 at 10:06 PM

      Append your public key to the existing authorized_keys file using a text editor. Each line in the file is an independent entry.

    • vikas said, on November 7, 2012 at 2:40 AM

      you need to have a root user permission , so try login through root user and you would be able to create that

  2. GB said, on July 22, 2012 at 7:46 PM

    This is a slightly wider question: I may need to set up a file upload mechanism for my Amazon based application. The files might be quite large – 50MB or even 100MB (but there will be not too many of them). I am considering using SFTP for it, is this a valid idea? The people who will be using it are regular folks, and to ask them to download keys etc is unthinkable. Can I put a kind of web interface which has SFTP built-in?

    • rmt said, on July 24, 2012 at 9:56 AM

      SFTP is entirely reasonable for that size of files. I don’t have an answer for what’s an easier interface, but I imagine there’s a solution out there. You might try asking on serverfault.com.

  3. Eric S said, on August 14, 2012 at 11:02 AM

    Minor typo: your line

    sudo chown root:root /home/newuser
    was meant to be
    sudo chown root:root /home/newusername

    (comes up when doing find / replace on your lines)

    Also, I notice after doing all this, that the new user winds up being able to see .profile, .bashrc, .ssh and authorized_keys. The user owns and has access to change them. Is this much of a security risk? (It is at least slightly untidy…)

    • rmt said, on August 14, 2012 at 3:56 PM

      Thanks for pointing these things out. I’ve corrected the typo, and I added a note that this is intended for trusted users only. You’re right that it’s not a good solution for SFTP with untrusted users.

  4. Derek Gardiner said, on January 5, 2013 at 1:52 PM

    How do we get the public key in the first place if the system we’re calling from is Linux. Once I download the .pem file and less it I only see a private key there – I don’t know where to create/find the public key and therefore cannot copy it to authorized_keys directory.

    • rmt said, on January 5, 2013 at 2:54 PM

      On Linux, you can generate the public and private keys with the following command on your own local system:

      ssh-keygen -b 1024 -f newusername -t dsa

      See the “Key Generation and Distribution” section here: http://aws.amazon.com/articles/1233

      Then you need to import the public key into EC2 using ec2-import-keypair:

      ec2-import-keypair newusername-key --public-key-file keyfile.pub

      (On Windows, you can use Puttygen to import the *.pem key file and generate the corresponding public key for pasting into the authorized_keys file.)

  5. Jim E said, on March 19, 2013 at 9:42 AM

    Why are you installing vsftp when it isn’t needed for sftp?

  6. Jerry said, on March 16, 2014 at 6:14 AM

    For CentOS 6 (and maybe other OS’) you need to do the following:
    chmod 755 /home/newusername

  7. raj said, on April 18, 2014 at 9:41 PM

    Is it possible to access the sftp without key and just with password?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.