Setup SFTP server in Windows using OpenSSH with public key authentication, folder jailing

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi friends welcome to taving python series in this video we're going to talk about how to set up an sftp server using openssh and an sftp client using winscp in a windows machine you know why do we need sftp sftp is actually ftp or ssh and it's a secure way of doing ftp so now let's talk about how to set up an sftp server in windows using openssh so the first step is you have to go to this link and download the open ssh zip file so you can just right click and open this link and here you can see there is a a search and you can see the latest win 64 zip file open ssh164.zip and you have to download this zip file and i already downloaded this zip file so this is a zip file i have downloaded here and then if you open the zip file you can see open ssh win64 it has all the files i have extracted this zip file and created a folder in c program files and create a folder called open ssh and this folder should contain all of your contents of the open ssh zip file which you have just downloaded so that was the first step you have to download the zip file and extract it to the location called c program files open ssh and then now you have to install open ssh right so for that i'm going to open my command prompt as an administrator i'm opening my command prompt as an administrator now and then i have to change my folder to the open ssh directory which i have created just now in the c program files so in order to change the directory i'll just copy the path of that location so this is my location i'll just ctrl c it here here i'm going to write cd and inside this codes i'm going to paste this location so now i'll change my directory to the open ssh directory which i have created just now and now i'll install the open ssh using a command so this is the command powershell.exe and install sshd.ps1 so this directory has a file called install sshd.ps1 and this actually installs your openssh server so let me try to copy this command and use it there and now you can see the open ssh server is installed successfully and you can see there are two services which are created sshd and ssh agent and these two services are created in our windows as background services and these actually serve as our ssh server infrastructure so in order to verify i have created these services successfully or not and in order to manage these services i'll just open the services.msc using my windows i'll just write services.msc and i'm going to see open ssh authentication agent and open ssh server so these two services are actually created by running this command which we have just run and here you can see one thing i want to do here is instead of keeping the starter tab as manual i want to give the startup type as automatic because if you keep the startup type as automatic these services will start as soon as the server is started so i'll just right click and select properties startup type automatic okay and then here also in the openssh authentication agent right click properties startup type automatic okay so you can see these two services are basically accessor server and ssh authentication agent and now since the ssh server is created and if you want the server to be exposed to external services like in your network or over the internet you have to create your relevant firewall policies to expose the ssh server to the external agencies and by default this sftp server uses port 22 so you have to allow port 22 in your firewall policies and that's it by following very simple steps you are able to successfully install an sftp server in your windows machine all right in the previous method which i have explained how to install openssh server i have taken a zip file from github and have used that zip file to install the service right but in the newer version of windows they have actually given the open assisted server as an optional feature and you can just enable it without downloading any external packages from third party so it's actually really simple if you have a newer version of windows to use open ssh just click on the windows button and search for optional features you can see manage optional features and click on that and here you can see if you have open access server already installed you can search in the install features you can write open ssh you can see they've already installed the open access client but i don't have the open access server installed in my pc if you want to add that feature just click on this add a feature and search for open ssh server and you can see i've got this open access server option and if i check this and install it then open ssl server will be installed in my computer so this is another easy way and this is provided by windows operating system itself so this is how you can set up sftp server in your version of windows it's more easy but for this video we're going to use the zip file version and we have already installed this in our computer now that we have set up a local sftp server in our computer let's try to connect to it using a sftp client so vin sap is a great sftp client to connect your sftp server so you can download vnsp from this link and after you download you'll get an exe file something like this and then if you install this exe file if you click the windows button you will get a software called vin sap something like this open the win recipe here after you open win sap it should look something like this and now let's try to create a new session by clicking on this new session button now i have to connect to my local sftp server right so the host name will be localhost and the sftp server is listening at port 22. the username is the username of my computer and the password is the password of my computer now let's try to login to my local sftp server all right i ran into an error something like this it is telling that the server is not present but if you open the services.msc and search for openssh you can see the status is not running because we have installed the services now and we have to manually start the services for the first time so let me try to start both these services so if you get an error something like this after installing you can check once whether your server is running or not although it is not necessary for the next time because once you restart the server or on your server it will be automatically started this is required only for the first time all right so now let's try to reconnect again you can see i'm able to connect to my sftp server and i'm landed into the folder of the user that means c users the username so now we are sure that we have successfully created an sftp server we are able to browse the server folders using winscp all right the method we used to connect to the sftp server just now is password-based authentication that means you are supplying the credentials of an operating system user to connect to the sftp server that means the person who need to connect to the sftp server should know your operating system credentials and this might not be required right you want your sftp client to just access the folder not the operating system right and that's exactly the downside of using password-based authentication in sftp and one more drawback is that if you want to change the user password you have to change the operating system user password and when the user enters the password it's transmitted over the network that means the operating system user password is transmitted over the network which is not that desirable so how can we mitigate this problem we can use public key based authentication in sftp that means you will create a public and private keypad and while connecting the sftp server you will use your private key to authenticate yourself so you are not using the operating system password or anything related to the operating system you are actually using just the public and private key page so the user using the sftp doesn't know the os user password and one more thing is that for a single os user you can create multiple public private key page you can easily change the user's private key and you don't need to bother about the user's operating system password and if you want to revoke the access of an sftp client just remove the public key from your server that means you don't need to lock out the operating system user in order to stop an sftp client from connecting to your server so how can you create this public key based authentication in sftp server in windows it's really simple actually there are some steps involved so let's go through each step one by one the first step is to create a public and private key pair so i'm gonna show you two methods to create a public and private key pair the first method is using the ssh keysight.exe and this exe file can be found in the zip file which you extracted in the program files open ssh folder so let me go to the program files folder again program files open ssh and here there is a file called ssh keygen dot exe so just open a command prompt and run ssh.exe and then you can create a public private key pay so i'm going to this folder program files open ssh and i'm going to open a command prompt here i'll just write cmd here and now i'll run the ssh keygen.exe and i'll just click enter by default the key will be saved in this username dot ssh id underscore rsa so let's go ahead and click enter and it's asking for a passphrase that means if you want to protect your private key with the password you can enter the passphrase here so the intention is that if the private key falls into wrong hands they can't use it because they don't know the password so it's extra level of security for securing the private key for now i'm not giving any password for the private key so i'm just clicking on enter enter and now you can see the public key has been saved in id rsa.pub and the private key was saved in the id rsa file so the folder location is seeing users username dot ssh so let's try to open this folder location users username and dot ssh folder search for dot ssh folder and here i got my two public and private key page generated dot pub is a public key and the file without any extension id underscore rsc is a private let's try to see how it looks like i'll just open the public key first so i opened the public key file in the notepad so this is the public key file and i'll open the private key file in the notepad now and this is the private key file generated by ssh keychain so it's really simple to create a public private key pair just on the exe file if you don't want to use the ssh keychain.exe there is one more program called puttygen.exe so let's try to use that download the puttygen from this link you will get a puttygen.exe this is the exe file so just double click this file and you can see putty key generator so just click on generate and it is generating a public private key pair it's asking to please generate some randomness by moving the mouse over the blank area so i'm just moving the mouse over this blank area and you can see my public and private key are generated and if you want to save this public and private key i have to click on the public key save public key here i'm going to give some name like pub so this is my public key i'm saving it here i got my public here and then save private key others you want to save this without a passphrase if you want a passphrase you could have entered here but i did not write a passphrase so it's asking this i'll just click yes and i'll write private key prb save and now you got this public key and private key so publicly is just the public key so let me try to open this now so this is my public key and ppk file is public and private it contains both public and private key in the same file so let me try to edit and see the contents of this file so here you can see public lines this is the public key private lines this is the private key so that's it this is how you can use puttygen.exe to create a public and private key pay but in this video we will use the public and private key page generated by the sshkijian.exe alright we completed the step one which is create a public and private keypad let's move to the step two step two is place the public key in the sftp server so how the public key authentication works is that your sftp server will store the public key in a list of public keys and when you try to connect to the server using a private key it will evaluate your public key and private key pair and authorize you so for public key authentication to work you have to keep your public key in the authorized keys file of your sftp server so basically we have to just append your public key in a file called see user's username dot ssh authorized keys file so let me try to open that file now i'll go to c users username dot ssh and i don't have the authorized keys files so let me try to generate the authorized key file now i'll just right click new text document write authorized keys authorized underscore keys and no extension remove the extension just create a file called authorized underscore keys you have to generate this file in the sftp server not in the client server so let's try to edit this file with notepad and in this notepad file you have to append your public key you can see my public key i generated using ssh keychain is present here id underscore rsa.pub i'll just open it now just ctrl a ctrl c copy this file i'm opening the authorized keys files and control v so now i have appended my public key contents into the authorized keys file if you have a new public key just paste it here again as a new line in this way a single user can authenticate multiple clients with different public private key pages so i'll just save this otherwise keys file and just close it and that's it this is the step two which is placing the public key in sftp server and the step four is changing the access control list of the authorized keys file in sftp server you know for the sftp to function correctly with public private key type authentication we have to change the access control list of this file so that only this administrator's user group and the system user should have the access others should not have the access to this file even though it seems complicated the command is really simple run icacls.exe so basically it changes the acl of a file give the path of the file in our case we want to change the access control list of the authorized case file so i've given the path of the authorized keys file and i'm telling grant administrators full permission and system full permission so basically this is the command i'm going to just copy this command and i'm going to open a command prompt now and in the command prompt i'll paste my command and here i'll correct my path as per my system so i have to replace the username with my system username and hit enter so now successfully have changed the access control list of the authorized keys file so let's try to open the authorized keys file in my folder if you right click and see the properties of this file and see the security tab only administrators and system have the full access so if i just double click this file and try to open with notepad you will get permission not granted because i am using this system as a username not the administrator so if you want to open this file with notepad you have to open notepad as administrator first and then open this file if you want to view the contents of this file open notepad as an administrator open as an administrator now my notepad is open as an administrator i'll just copy this file path file open and here select all files open authorized keys and now you are able to edit the authorized keys file because you open notepad as an administrator and that's it it was very simple running a simple command change the access control list of an authorized keys file in sftp server and now the last step is editing the ssh server configuration so that it actually obeys public private key authentication and disables password-based authentication that can be done using the sshd config file which is located in the c program data ssh folder see program data folder if your folder is not showing here go to view hidden items you check these hidden items then you will see program data as a hidden folder so open program data open the ssh folder and here you will see a file called sshd underscore config and this is how you can configure your ssh server so right click on this file and you can edit it with notepad open with notepad this is how you can edit this file if you have vs code you will get more syntax highlighting so let me try to open this with vs code right click open with code and here you can see in vs code i got my syntax highlighting also so what changes should i make to enable public private key based authentication it's really simple you have to just make sure that these lines are present in your sshd underscore config file so let me try to see the first line which is public key authentication yes here you can see public key authentication s so this is commented out using this hashtag let me try to remove that hashtag now this line is active public key authentication yes you can see i am unable to save this file because i'm not an administrator let me try to save it at the end the next line is authorized keys file and this is the location of the authorized keys file you can see authorized keys file line is already present so i'm not changing anything here the next one is password authentication no here you can see password authentication yes so just remove this hashtag and write password authentication no and permit empty passwords no i don't want empty passwords and then subsystem sftp internal sftp so i've got a line called subsystem sftp sftp server dot exe instead of accepting server.exe i just write internal sftp and then match user username and all this so let me try to copy this so i'm gonna remove this and paste it here match user username so i'll write my computer username and here i'm telling x11 forwarding no hello tcp forwarding no permit tty no and force command internal sftp password authentication no so these are all security hardening commands which ensure secure user access to the sftp server and at the end you have to comment out these two lines so here i'll just comment out these two lines because i'm not dealing with administrators underscore authorized keys i have commented on these lines but if it is your requirement then you can use these lines all right i've made all the changes in the sshd underscore config file so that i can use public key authentication so now to save this file since i have not opened vs code as an administrator i'll just copy the contents of this file open the notepad as administrator open the notepad as administrator and paste my file contents and save this file as the appropriate file save as and go to c program data ssh all files and sshd underscore config save so now i have saved my sshd underscore config file i'll just close it now all right we have completed all the steps requiring to enforce public private key authentication in an sftp server so let's try to connect to our smtp server using private public key pair so i'm going to open my venus cp again and try to connect to my sftp server so i'll create a new session and new site localhost port number username the username of the pc so let me try to use the password and let us see whether it will be accepting the password or not so let's click login and it is telling access denied all right now i'll click cancel and remove this password now let me try to use the private key to connect to the sftp server so in order to use the private key just click on the advanced button in the left under the ssh section select the authentication menu and here use your private key so i'll just open this browse button and select the private key present in my username dot ssh folder so by default it has come to the same folder see user's username dot switch folder remember that using ssh keychain we have created our private key in this folder only but here you have to select all files and select your private key which is id underscore rsa remember dot pub is a public key file name id underscore rsa is the private key select this privately click open and it will say it is in the open sss private key format i want to change it to the wing sap ppk format click on ok no problem and it will store the ppk file here in the same folder by the extension of ppk click save click ok and now your private key is imported to win sap and now click ok and now you will be able to use the private key to connect to the sftp server so i am not supplying the password i will supply the private key in advance settings and let me try to login now and now you can see without using the password and with using a private key i am able to create an ssl session and connect to the sftp server and now we have successfully used the public private key pair authentication to connect your sftp server the next thing we are going to talk about is called folder jailing that means when i log in my user i am able to see all the files in the level of the user so if the username is username you can see all the folders called videos templates start menu source and all inside that user but if you want to restrict the user to a single folder and the user can go to the child folders but not go to the parent folders it's called folder chain suppose if i want to restrict the users to these pictures screenshots folder that means the user can go inside the subfolders of the screenshots folder but can't go to the parent folders of the screenshots folder it's called folder changing so if you want to jail this user to pictures screenshot folder you have to edit the ssh config file so once again i'm going to open the sshd underscore config file so i'm going to open the notepad as an administrator copy this file path and open that file file open all files and already have this file path pasted here so open the sshd underscore config file and insert the user settings i will add one more line which is for folder gelling so i'll just create a new line here and write something like this change root directory to another folder so let's copy this line and paste this here so what this means is that the user folder inside the computer slash pictures slash screenshot that means the user can't go above the screenshots folder so i'll just save this file close this and now i'll restart my sftp services in the services.msc and just right click on the ssh server restart right click the authentication agent restart and now let me try to open the bin sap and let me try to connect to the sftp server again and just remove this session create a new session the host name will be local host port number 22 username no password go to advanced and in the authentication section make sure you have the private key selected i'll just select the private key file again it's already generated before so let's select the private key click open and click ok and click login and now you have successfully logged into the folder which you jailed the user to that means i can't go above this root folder because i don't have the permission right but you can create a new folder here right click new folder and name it whatever you want and you can go inside this folder you can go the folders below the screenshots folder but you can't go above the screenshots folder this is a very convenient and secure way to restrict your users to a single folder so that's it guys this is how to set up an sftp server in windows and an sftp client in windows using openssh and bin sap i have covered how to set up password authentication how to set up public key private key authentication and some practical examples with folder jailing and you can see i have created a blog post on this with all the steps and images so that you can go through and create the sftp server in your own computer or your own server so be sure to check out the link of this blog post in the description of this video i have also given the references to the documentation links this is a very good documentation by vin sjp how to set up windows open access server and this is the official documentation from microsoft which explains how to set up an openssh sftp server in windows if you want to give feedback to this video kindly use the comment section hope you like this video guys thank you for watching

Info

Channel: Learning Software

Views: 39,504

Rating: undefined out of 5

Keywords: tutorial, taming_python, taming_python_skill, sftp, openssh

Id: pOwXn4do7r0

Channel Id: undefined

Length: 23min 1sec (1381 seconds)

Published: Tue Mar 08 2022