Sftp server

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
Andi17
Posts: 2
Joined: Fri Dec 27, 2019 2:40 pm

Sftp server

Post by Andi17 »

Hello together,

I want to run a sftp Server on my dietpi that Friends can access to my files from extern with encryption.
Can anyone Help me how can i do this?
Thanks in advance
User avatar
Joulinar
Posts: 5131
Joined: Sat Nov 16, 2019 12:49 am

Re: Sftp server

Post by Joulinar »

Hi,

did you already have an SFTP Server running on your system? If not, pls setup "OpenSSH" Server first. This can be done within "dietpi-software" Settings by changing SSH Server from Dropbear > OpenSSH. Afterwards SFTP should already working inside your local network. It can be checked with an appropriate SFTP Client like WinSCP.

If all this is working, you would need to open Port 22 on your Internet Router / forward port 22 to your DietPi System. But honestly I would not recommend this, because your DietPi system will be accessible from Internet for SSH as well. So you would need to ensure the right protection and Security level for your system. Because every port scanner will find your open SSH Port 22 on the Internet :?
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
MichaIng
Site Admin
Posts: 3105
Joined: Sat Nov 18, 2017 6:21 pm

Re: Sftp server

Post by MichaIng »

There is also a standalone SFTP server available (the OpenSSH one) which can be even used by Dropbear: https://packages.debian.org/buster/openssh-sftp-server

However probably it makes sense to simply switch to OpenSSH to have it on board and combined configurable via /etc/sshd_config.
mail2rst
Posts: 135
Joined: Fri Apr 13, 2018 4:53 pm

Re: Sftp server

Post by mail2rst »

One question regarding file sharing within local network through headless server. This time on my server I have dropbear installed for ssh & proftpd installed as FTP server. if instead of installing these two items I will just install openssh server & with this sftp server come as bogo offer. Based on system resource consumption & stability bases, what is better way to go? My intent is only local LAN usage. Basically I just want to add PLEX media data to headless server may be once a month for two three hours.
User avatar
trendy
Posts: 342
Joined: Tue Feb 25, 2020 2:54 pm

Re: Sftp server

Post by trendy »

ftp is more lightweight than sftp or scp. Since you'll be using it inside your lan, I don't see the reason for the cpu overhead to encrypt packets.
mail2rst
Posts: 135
Joined: Fri Apr 13, 2018 4:53 pm

Re: Sftp server

Post by mail2rst »

Thanks for advice,

But i am more lean toward opensssh side. the reason is in ideal period of time instead of two application (dropbear+proftpd) only one thing openssh will run. May be the running resource consumption of openssh may be little more but i am sure it will less then two combine application. even at the time of transfer due to encryption more load on CPU but time wise it will less then 1 hour out of month period.
I have already start this process. now i want advice how to create dietpi< proftpd user type in dietpi<openssh user. so that my password for admin or ssh remain root & all other copy paste sftp data can able to do by dietpi user also confined the area to dietpi_userdata for dietpi user in sftp. same functionality/permission dietpi uses for proftpd dietpi user name.
User avatar
MichaIng
Site Admin
Posts: 3105
Joined: Sat Nov 18, 2017 6:21 pm

Re: Sftp server

Post by MichaIng »

If you don't require the last bit of transfer speed, and especially if you want to transfer data remotely outside of your LAN, I agree that SFTP is the better option and, with OpenSSH, it will just work. You can already access it nearly the same way as you would currently with FTP, just by replacing the scheme ftp:// => sftp://. One difference is that by when accessing via SFTP, /mnt/dietpi_userdata is not the default chroot or working directory, but if you don't use the same user for regular SSH logins, you could do it by adding something like

Code: Select all

Match User dietpi
        X11Forwarding no
        PermitTTY no
        ChrootDirectory /mnt/dietpi_userdata
        ForceCommand internal-sftp -u 0002
to /etc/ssh/sshd_config, which will restrict access to SFTP and enables moreless the same behaviour as our FTP implementation setups have by default, with /mnt/dietpi_userdata as chroot directory and also the changed umask to have 775/664 modes on new files/dirs. While this mimics the default DietPi FTP setup, of course you could tailor it much better to your specific needs, also with a new SFTP-only user, a real chroot jail and such.

Strictly seen, similar to SCP, SFTP does not require a running process, as both use the SSH server process and only execute the SCP/SFTP related command from there. But with OpenSSH, SFTP is additionally packed right into the SSH server binary, which, among others, is the reason for OpenSSH consuming multiple times more memory than Dropbear. We're talking about a few MiB, but for enthusiasts, also Dropbear can be used perfectly fine as SFTP and SCP server, when those commands are available. Easiest option is installing apt install openssh-sftp-server which installs both and will work just OOTB with Dropbear. There is even a lighter alternative for SFTP only:

Code: Select all

apt install gesftpserver
ln -s /usr/libexec/gesftpserver /usr/lib/sftp-server
The symbolic link is required so that SSH/SFTP clients find the SFTP command at the expected location, so this doesn't need to be changed client-wise. This "green-end" SFTP server implementation supports newer protocol versions as well, although don't ask me what the benefits are and which clients do actively use those :).
User avatar
Joulinar
Posts: 5131
Joined: Sat Nov 16, 2019 12:49 am

Re: Sftp server

Post by Joulinar »

@MichaIng

There is no need for external access if I understood the OP correctly. Therefore no need for any encryption.

Personally I'm using SCP inside my local network. Easy to setup (OpenSSH Client - software ID 0). It is working ootb with all OS user and give me access to all directories without any configuration needed.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
MichaIng
Site Admin
Posts: 3105
Joined: Sat Nov 18, 2017 6:21 pm

Re: Sftp server

Post by MichaIng »

Yes, this was more for completeness as other users may read this topic with pregnant heading as well ;). As you say, that it works mostly OOTB and doesn't require any additional setup or server process is an additional benefit. SCP and SFTP are pretty much the same when it's for single file transfers. The protocols are different, strictly seen, and SFTP allows interactive sessions with file browser like features, but when using e.g. WinSCP or simply curl as client, both work pretty much the same.
mail2rst
Posts: 135
Joined: Fri Apr 13, 2018 4:53 pm

Re: Sftp server

Post by mail2rst »

when i added following lines in file “/etc/ssh/sshd_config” at the bottom

Code: Select all

Match User dietpi
        X11Forwarding no
        PermitTTY no
        ChrootDirectory /mnt/dietpi_userdata
        ForceCommand internal-sftp -u 0002
My winscp windows software not able to connect to server with sftp connection. Before adding these lines system able to connect the sever through SFTP.
For window PC I have mapped the sftp as network drive with the guide lines of https://github.com/billziss-gh/sshfs-win
& map network drive as "\\sshfs\dietpi@192.168.1.74/../../mnt/dietpi_userdata" & system was working & I was able to replace dropbear, proftpd & samba share with only openssh. So overall system works as per my requirement. Only thing I want to add sftp jail to “/mnt/dietpi_userdata” for dietpi username. This is the reason I added these lines. But after adding these line system refuse to connect to server.
Post Reply