I spent some time today getting anonymous SFTP setup on my home server. Why would I want to do that, you ask? Well, for file shares. I have an HTTP server and anonymous FTP server set up to make it easier for people to get at the public shares on the system, but really I’m a big fan of consolidating the protocols in this space. FTP is old and clunky, SFTP has solved many of the issues and is widely deployed. In fact, all my PCs are running an SFTP server, only one currently runs an FTP server.
This how-to uses the command line. It’s really not that hard, just type exactly what I tell you to.
First, make sure you have the SSH server installed:
sudo apt-get install openssh-server
Next, create a new user:
sudo adduser --disabled-password anonymous
Then, edit the /etc/shadow file to make the password actually empty:
sudo ${EDITOR=gedit} /etc/shadow
Go to the last line and change the anonymous:*: to anonymous::
Edit /etc/passwd to make the empty password allowed and the login shell is set to /usr/lib/sftp-server
sudo ${EDITOR=gedit} /etc/passwd
Go to the last line and change anonymous:x: to anonymous:: and also change the value on the end of the line (it will either be /bin/bash or /bin/sh) to /usr/lib/sftp-server.
Next, you need to allow sftp-server as a valid shell.
sudo su
echo /usr/lib/sftp-server >> /etc/shells
exit
You also need to allow PAM to accept blank passwords for SSH sessions, so:
sudo ${EDITOR=gedit} /etc/pam.d/sshd
Change the line that reads @include common-auth and replace it with:
auth [success=1 default=ignore] pam_unix.so nullok
auth requisite pam_deny.so
auth required pam_permit.so
Finally, you need to set the SSH server to allow blank passwords.
sudo ${EDITOR=gedit} /etc/ssh/sshd_config
Find the line that reads PermitEmptyPasswords no and change the no to a yes.
Restart sshd with:
sudo /etc/init.d/ssh restart
And you’re done!
Warning: make sure the anonymous user does not have access to files you do not want it anyone to have access to! Ubuntu by default makes way too many things world-readable. This how-to is not about file permissions, but make sure your private files are set so that only your user can read them!
6 Responses
mopmne •
FAIL. This is not an anonymous SFTP environment akin to the chrooted FTP anonymous environment. This is unwise in a production environment to do.
Stephen Paul Weber •
@mopmne You could use rssh or similar to set up a chroot jail. That’s more complex than I wanted to do in this how-to. Also, I disagree with your “unwise” comment… assuming you have sane permissions on your files, this should be perfectly safe.
Anonymous •
This is not very bright at all. People please do not do this.
Stephen Paul Weber •
Standard disclaimers about any network service apply. You should secure this according to your environment. Contrary to popular belief, there is nothing inherently less safe about a guest UNIX account vs other forms of guest access. Just secure it properly. Some people may choose to use rssh or similar to do that. If you keep your sshd up to date and keep your file permissions set correctly, this should be much safer than you seem to think it is 🙂
newjack •
OpenSSH now supports chroot jailing specific users, see the ChrootDirectory and Match directives.
See this article: http://www.debian-administration.org/articles/590
While anonymous sftp isn’t as horrifying as the above commenters make it seem, the instructions are missing a few important security measures:
– Disable X11 and TCP forwarding for that user in shhd_config
– If the user is not in a jail (bad idea), then at least set the global umask so that newly created files are not world-readable. A umask of 0027 works. On debian systems, this can be set in /etc/login.defs
Production systems shouldn’t have world-readble non-system files in the first place.
Stephen Paul Weber •
Chroot is not a good security mechasim. And yes, having a sensible umask is something you should always do.