I spent some time today getting anonymous SFTP setup on my home server. Why would I want to do that, you ask? Well, for file shares. I have an HTTP server and anonymous FTP server set up to make it easier for people to get at the public shares on the system, but really I’m a big fan of consolidating the protocols in this space. FTP is old and clunky, SFTP has solved many of the issues and is widely deployed. In fact, all my PCs are running an SFTP server, only one currently runs an FTP server.

This how-to uses the command line. It’s really not that hard, just type exactly what I tell you to.

First, make sure you have the SSH server installed:

sudo apt-get install openssh-server

Next, create a new user:

sudo adduser --disabled-password anonymous

Then, edit the /etc/shadow file to make the password actually empty:

sudo ${EDITOR=gedit} /etc/shadow

Go to the last line and change the anonymous:*: to anonymous::

Edit /etc/passwd to make the empty password allowed and the login shell is set to /usr/lib/sftp-server

sudo ${EDITOR=gedit} /etc/passwd

Go to the last line and change anonymous:x: to anonymous:: and also change the value on the end of the line (it will either be /bin/bash or /bin/sh) to /usr/lib/sftp-server.

Next, you need to allow sftp-server as a valid shell.

sudo su
echo /usr/lib/sftp-server >> /etc/shells
exit

You also need to allow PAM to accept blank passwords for SSH sessions, so:

sudo ${EDITOR=gedit} /etc/pam.d/sshd

Change the line that reads @include common-auth and replace it with:

auth [success=1 default=ignore] pam_unix.so nullok
auth requisite pam_deny.so
auth required pam_permit.so

Finally, you need to set the SSH server to allow blank passwords.

sudo ${EDITOR=gedit} /etc/ssh/sshd_config

Find the line that reads PermitEmptyPasswords no and change the no to a yes.

Restart sshd with:

sudo /etc/init.d/ssh restart

And you’re done!

Warning: make sure the anonymous user does not have access to files you do not want it anyone to have access to! Ubuntu by default makes way too many things world-readable. This how-to is not about file permissions, but make sure your private files are set so that only your user can read them!

This is a simple how-to for setting up automatic file sharing for users’ ~/Public folders in Ubuntu over HTTP with minimal overhead.

While this how-to is simple, it does use the command line. I happen to believe the command line is not so scary as the GUI marketing people would have you think, even to new users. It’s much easier to say “type this” and have a user understand than it is to try to describe the GUI actions.

First, install my subdirs script. This script finds a list of directories containing some other directory, and prints out the path to the subdirectory (if you don’t get that, never mind, you just need to know that you need in installed for this how-to).

sudo wget -O /usr/local/bin/subdirs http://github.com/singpolyma/singpolyma/raw/master/scripts/subdirs
sudo chmod +X /usr/local/bin/subdirs

Then, install the webfs HTTP server.

sudo apt-get install webfs

Edit the config file a bit:

sudo ${EDITOR=gedit} /etc/webfsd.conf

Change the line starting with web_root= to say:

web_root=/var/www

And the line starting with web_port= to say:

web_port=80

Then restart the server by running:

sudo /etc/init.d/webfs restart

Finally, to symlink the shares, run:

subdirs /home Public | while read DIR; do ln -s "$DIR" /var/www/$(basename "`dirname "$DIR"`"); done

You’re done!

The last command will have to be re-run every time you add a new user. Or you could add it as the second-last line in your /etc/rc.local file to make it run every time you boot.

Now people can just visit your computer in their webbrowser (if they’re on your local network… to get access from the Internet you have to configure your router, but you probably don’t want that anyway). The address of any Ubuntu computer in a webbrowser (on a computer than supports mDNS, such as other Ubuntu systems or Apple systems) is just hostname.local. For example, my computer is singpolyma-mini.local. For Windows users, they’ll have to type in your IP address (unless they install Bonjour for Windows).

You can find your IP address by running:

ifconfig | grep 'inet addr' | grep -v 127.0.0.1 | awk '{ print $2 }'