Hello together,
I want to run a sftp Server on my dietpi that Friends can access to my files from extern with encryption.
Can anyone Help me how can i do this?
Thanks in advance
Hi,
did you already have an SFTP Server running on your system? If not, pls setup “OpenSSH” Server first. This can be done within “dietpi-software” Settings by changing SSH Server from Dropbear > OpenSSH. Afterwards SFTP should already working inside your local network. It can be checked with an appropriate SFTP Client like WinSCP.
If all this is working, you would need to open Port 22 on your Internet Router / forward port 22 to your DietPi System. But honestly I would not recommend this, because your DietPi system will be accessible from Internet for SSH as well. So you would need to ensure the right protection and Security level for your system. Because every port scanner will find your open SSH Port 22 on the Internet 
There is also a standalone SFTP server available (the OpenSSH one) which can be even used by Dropbear: https://packages.debian.org/buster/openssh-sftp-server
However probably it makes sense to simply switch to OpenSSH to have it on board and combined configurable via /etc/sshd_config.
One question regarding file sharing within local network through headless server. This time on my server I have dropbear installed for ssh & proftpd installed as FTP server. if instead of installing these two items I will just install openssh server & with this sftp server come as bogo offer. Based on system resource consumption & stability bases, what is better way to go? My intent is only local LAN usage. Basically I just want to add PLEX media data to headless server may be once a month for two three hours.
ftp is more lightweight than sftp or scp. Since you’ll be using it inside your lan, I don’t see the reason for the cpu overhead to encrypt packets.
Thanks for advice,
But i am more lean toward opensssh side. the reason is in ideal period of time instead of two application (dropbear+proftpd) only one thing openssh will run. May be the running resource consumption of openssh may be little more but i am sure it will less then two combine application. even at the time of transfer due to encryption more load on CPU but time wise it will less then 1 hour out of month period.
I have already start this process. now i want advice how to create dietpi< proftpd user type in dietpi<openssh user. so that my password for admin or ssh remain root & all other copy paste sftp data can able to do by dietpi user also confined the area to dietpi_userdata for dietpi user in sftp. same functionality/permission dietpi uses for proftpd dietpi user name.
If you don’t require the last bit of transfer speed, and especially if you want to transfer data remotely outside of your LAN, I agree that SFTP is the better option and, with OpenSSH, it will just work. You can already access it nearly the same way as you would currently with FTP, just by replacing the scheme ftp:// => sftp://. One difference is that by when accessing via SFTP, /mnt/dietpi_userdata is not the default chroot or working directory, but if you don’t use the same user for regular SSH logins, you could do it by adding something like
Match User dietpi
X11Forwarding no
PermitTTY no
ChrootDirectory /mnt/dietpi_userdata
ForceCommand internal-sftp -u 0002
to /etc/ssh/sshd_config, which will restrict access to SFTP and enables moreless the same behaviour as our FTP implementation setups have by default, with /mnt/dietpi_userdata as chroot directory and also the changed umask to have 775/664 modes on new files/dirs. While this mimics the default DietPi FTP setup, of course you could tailor it much better to your specific needs, also with a new SFTP-only user, a real chroot jail and such.
Strictly seen, similar to SCP, SFTP does not require a running process, as both use the SSH server process and only execute the SCP/SFTP related command from there. But with OpenSSH, SFTP is additionally packed right into the SSH server binary, which, among others, is the reason for OpenSSH consuming multiple times more memory than Dropbear. We’re talking about a few MiB, but for enthusiasts, also Dropbear can be used perfectly fine as SFTP and SCP server, when those commands are available. Easiest option is installing apt install openssh-sftp-server which installs both and will work just OOTB with Dropbear. There is even a lighter alternative for SFTP only:
apt install gesftpserver
ln -s /usr/libexec/gesftpserver /usr/lib/sftp-server
The symbolic link is required so that SSH/SFTP clients find the SFTP command at the expected location, so this doesn’t need to be changed client-wise. This “green-end” SFTP server implementation supports newer protocol versions as well, although don’t ask me what the benefits are and which clients do actively use those 
.
MichaIng
There is no need for external access if I understood the OP correctly. Therefore no need for any encryption.
Personally I’m using SCP inside my local network. Easy to setup (OpenSSH Client - software ID 0). It is working ootb with all OS user and give me access to all directories without any configuration needed.
Yes, this was more for completeness as other users may read this topic with pregnant heading as well 
. As you say, that it works mostly OOTB and doesn’t require any additional setup or server process is an additional benefit. SCP and SFTP are pretty much the same when it’s for single file transfers. The protocols are different, strictly seen, and SFTP allows interactive sessions with file browser like features, but when using e.g. WinSCP or simply curl as client, both work pretty much the same.
when i added following lines in file “/etc/ssh/sshd_config” at the bottom
Match User dietpi
X11Forwarding no
PermitTTY no
ChrootDirectory /mnt/dietpi_userdata
ForceCommand internal-sftp -u 0002
My winscp windows software not able to connect to server with sftp connection. Before adding these lines system able to connect the sever through SFTP.
For window PC I have mapped the sftp as network drive with the guide lines of https://github.com/billziss-gh/sshfs-win
& map network drive as “\sshfs\dietpi@192.168.1.74/…/…/mnt/dietpi_userdata” & system was working & I was able to replace dropbear, proftpd & samba share with only openssh. So overall system works as per my requirement. Only thing I want to add sftp jail to “/mnt/dietpi_userdata” for dietpi username. This is the reason I added these lines. But after adding these line system refuse to connect to server.
why are you not going to use SAMBA?
It is my personal preference. I want stay away from apple or windows Eco stream. I want to use genetic approach as if i am able to understand openssh & sftp concept. in future i will able to configure cheap genetic cloud storages with openssh authorization keys etc. so openssh/sftp make a base for my knowledge, configuration or cloud storage hub for home network. please guide me how to confined SFTP connection for dietpi user in “/mnt/dietpi_userdata” directory only. replicate FTP user approach for dietpi FTP server. thanks
If you are using key authentication and the key is not in /mnt/dietpi_userdata , well… I suppose you see the issue.
FYI Samba is not part of any ecosystem.
Ah good point about the key, that would explain it. Although, I’d have expected the authentication to happen before the chroot .
Also I’m currently not sure if PermitTTY no breaks SFTP via WinSCP. It is no shell session, but still an interactive session.
Otherwise using the “/…/…/mnt/dietpi_userdata” path is a good alternative.