Installation and configuration of SFTP on Windows using OpenSSH software
9:02 AM
Installation and configuration of SFTP on Windows using OpenSSH software
The setup requirements are as follows:
We can download the install file from "http://sourceforge.net/projects/sshwindows/files/OpenSSH%20for%20Windows%20-%20Release/3.8p1-1%2020040709%20Build/ "
i) Run the installer " setupssh.exe "
The installation will put the default path of "c:\Program Files\OpenSSH" in to the Install Location textbox. If you want to install somewhere else select "Browse" and pick the location
ii) To run the open ssh service "opensshd " by user account "sshd".
a) Create the server users account by name " sshd "
b) Check that the account's password will not expire
c) Add the server users account (sshd) to the Administrators group
d) Assign the server users account (sshd) the appropriate rights:
ntrights +r SeAssignPrimaryTokenPrivilege -u sshd
ntrights +r SeCreateTokenPrivilege -u sshd
ntrights +r SeDenyInteractiveLogonRight -u sshd
ntrights +r SeDenyNetworkLogonRight -u sshd
ntrights +r SeDenyRemoteInteractiveLogonRight -u sshd
ntrights +r SeIncreaseQuotaPrivilege -u sshd
ntrights +r SeServiceLogonRight -u sshd
e) Grant the server users account (sshd) Read, Read & Execute and List Folder Contents permissions to the OpenSSH folder and subtree
cd C:\Program Files\OpenSSH\bin
mkgroup -l > ..\etc\group
mkpasswd -l > ..\etc\passwd
Options:
-l,--local print local user accounts
We can also use following options:
l,-local print local user accounts
-c,--current print current account, if a domain account
-d,--domain print domain accounts (from current domain
if no domains specified)
-o,--id-offset offset change the default offset (10000) added to uids
in domain accounts.
-g,--local-groups print local group information too
if no domain specified
-m,--no-mount don't use mount points for home dir
-s,--no-sids don't print SIDs in GCOS field
(this affects ntsec)
-p,--path-to-home path use specified path and not user account home dir or / home
-u,--username username only return information for the specified user
-h,--help displays this message
-v,--version version information and exit
ii) In the passwd file we have to specify the sftp home directory for that particular user for e.g username " maamir " want to access location " E:\OpenSSH\maamir ".
Passwd file sample:
*********************************************************************************************************************************************************************************************
maamir:unused_by_nt/2000/xp:1010:513:maamir,U-SERVER1\maamir,S-1-5-21-2522548959-1238643421-2395724025-1010:/cygdrive/e/OpenSSH/maamir:/bin/switch
***********************************************************************************************************************************************************************************************
In the above passwd file, location " E:\OpenSSH\maamir " is specified as ":/cygdrive/e/OpenSSH/maamir"
3. Rights assignment to user on folders to achieve security:
i) Create users in windows e.g username " maamir ".
ii) Create group name " SFTP_deny " in windows add sftp users as a member of this group.
iii) On C: and any other drive assigned deny List Folder Contents NTFS permission to group name " SFTP_deny ".
iv) For each user's sftp home directory (e.g user "maamir" having a sftp home directory " E:\OpenSSH\maamir " ) assign full rights to user " maamir" on folder " maamir" located at " E:\OpenSSH\ " and remove the " SFTP_deny " group on that folder.
The setup requirements are as follows:
- Users should have full rights on their sftp home directory but not allowed to access other data or server data.
- Each user should be able to logon directly into their respective sftp home directory.
- OpenSSH software installation and configuration.
- Rights assignment on folders for users to achieve security.
- Create and configure user.
We can download the install file from "http://sourceforge.net/projects/sshwindows/files/OpenSSH%20for%20Windows%20-%20Release/3.8p1-1%2020040709%20Build/ "
i) Run the installer " setupssh.exe "
The installation will put the default path of "c:\Program Files\OpenSSH" in to the Install Location textbox. If you want to install somewhere else select "Browse" and pick the location
ii) To run the open ssh service "opensshd " by user account "sshd".
a) Create the server users account by name " sshd "
b) Check that the account's password will not expire
c) Add the server users account (sshd) to the Administrators group
d) Assign the server users account (sshd) the appropriate rights:
ntrights +r SeAssignPrimaryTokenPrivilege -u sshd
ntrights +r SeCreateTokenPrivilege -u sshd
ntrights +r SeDenyInteractiveLogonRight -u sshd
ntrights +r SeDenyNetworkLogonRight -u sshd
ntrights +r SeDenyRemoteInteractiveLogonRight -u sshd
ntrights +r SeIncreaseQuotaPrivilege -u sshd
ntrights +r SeServiceLogonRight -u sshd
e) Grant the server users account (sshd) Read, Read & Execute and List Folder Contents permissions to the OpenSSH folder and subtree
- Create and configure user
cd C:\Program Files\OpenSSH\bin
mkgroup -l > ..\etc\group
mkpasswd -l > ..\etc\passwd
Options:
-l,--local print local user accounts
We can also use following options:
l,-local print local user accounts
-c,--current print current account, if a domain account
-d,--domain print domain accounts (from current domain
if no domains specified)
-o,--id-offset offset change the default offset (10000) added to uids
in domain accounts.
-g,--local-groups print local group information too
if no domain specified
-m,--no-mount don't use mount points for home dir
-s,--no-sids don't print SIDs in GCOS field
(this affects ntsec)
-p,--path-to-home path use specified path and not user account home dir or / home
-u,--username username only return information for the specified user
-h,--help displays this message
-v,--version version information and exit
ii) In the passwd file we have to specify the sftp home directory for that particular user for e.g username " maamir " want to access location " E:\OpenSSH\maamir ".
Passwd file sample:
*********************************************************************************************************************************************************************************************
maamir:unused_by_nt/2000/xp:1010:513:maamir,U-SERVER1\maamir,S-1-5-21-2522548959-1238643421-2395724025-1010:/cygdrive/e/OpenSSH/maamir:/bin/switch
***********************************************************************************************************************************************************************************************
In the above passwd file, location " E:\OpenSSH\maamir " is specified as ":/cygdrive/e/OpenSSH/maamir"
3. Rights assignment to user on folders to achieve security:
i) Create users in windows e.g username " maamir ".
ii) Create group name " SFTP_deny " in windows add sftp users as a member of this group.
iii) On C: and any other drive assigned deny List Folder Contents NTFS permission to group name " SFTP_deny ".
iv) For each user's sftp home directory (e.g user "maamir" having a sftp home directory " E:\OpenSSH\maamir " ) assign full rights to user " maamir" on folder " maamir" located at " E:\OpenSSH\ " and remove the " SFTP_deny " group on that folder.
0 comments