Month: March 2017

(Original/copy post  from http://cloud.ubuntu.com/ami/, http://www.cybersprocket.com/2009/tips-tricks/sftp-tips-tricks/ and http://blog.markvdb.be/2009/01/sftp-on-ubuntu-and-debian-in-9-easy.html) and adapted a little bit.

This consists of three parts:

• setting up an sftp site on EC2
• creating a new user account
• configuring the new user account to do read-only ftp, with no ssh privileges

This is intended for transferring files to and from trusted users. I use this as an adequate solution for occasionally sending very large files to clients, using an EC2 instance dedicated to that task. After the transfer is complete, I shut down or delete the instance.

Set up a server using Amazon Web Services EC2, choosing an Ubuntu Amazon Machine Image (AMI). (You can find an AMI using http://cloud.ubuntu.com/ami/. You may want to choose one that’s free tier eligible, such as ami-1aad5273)

ssh into the server:

ssh -i keyfile.pem ubuntu@ec2-hostname.amazonaws.com

Install vsftpd:

sudo apt-get install vsftpd

Create a new user:

sudo adduser newusername

Using the AWS Management Console, generate a new key pair for the third-party user.

On Linux, you can generate the public and private keys with the following command on your own local system:

ssh-keygen -b 1024 -f newusername -t dsa

On the server, create the .ssh directory for the new user:

sudo mkdir /home/newusername/.ssh

Paste the public key into /home/newusername/.ssh/authorized_keys.

Set permissions:

sudo chmod 700 /home/newusername/.ssh

sudo chmod 600 /home/newusername/.ssh/authorized_keys

sudo chown -R newusername:newusername /home/newusername/.ssh

Test the new user’s sftp login from your local machine:

sftp -o IdentityFile=newkeypair1.pem newusername@ec2-hostname.amazonaws.com

Make a new group for users who should be limited to using only sftp:

sudo groupadd sftponly

sudo adduser newusername sftponly

Edit /etc/ssh/sshd_config and change the Subsystem line to:

and add these lines to the end of /etc/ssh/sshd_config:

Set permissions, without clobbering files necessary for EC2’s key-based authentication (only download):

sudo chown root:root /home/newusername

To deny SSH shell access, run the following command:

sudo usermod newusername /bin/false

If you want permit uploads use the command below.

sudo chown newusername:newusername /home/newusername

and…

sudo chown -R newusername:newusername /home/newusername/.ssh

sudo /etc/init.d/ssh restart

Now the new user can connect by sftp, but not by ssh. Place the files you want to share in /home/newusername, and share the key with the user or upload your files.