I recently got stuck on an odd problem.

My friend hired a designer to work on a web site for his company. He asked my recommendation about a tool to allow web designer perform secure file transfers so that he can update web site. Since he's hosting on Windows 2003, my immediate recommendation was to enable webdav, which he did and the good old "Open as web folder" trick worked fine. Web desiner, however, wasn't so lucky. He worked on Vista, and they removed "Open as web folder" option from IE, also made it excruciatingly hard to use webdav in general. Another issue there was that the sire certificate expired, and all other 3rd party webdav solutions I tried didn't let me ignore that fact, so it rendered webdav to be not a good method in general for file transfer to give to outside contractors

I assume, noone would consider traditional FTP, since it's inherently unsecure, and requires 2 ports, which is a pin in the ass to begin with

I also evaluated SCP/SFTP, which are based on ssh. Those are good, but without chroot jail they give access to the whole file system. This was true for linux, but same appeared to be true for cygwin-based openssh installations.

Last thing I tried was FileZilla. Being pretty advanced FTP server, it apparently offers no SCP/SFTP server functionality. It allows FTP over SSH, but for that you need to buy certificate again. Or generate yours, but then you must compel your contractor to trust your root, not secure option again

I guess we're coming to a question - what tool do the people around use for their web hosting contractors (windows or linux) to allow controled, secure file transfer?

+1  A: 

SFTP and SCP only give access to the entire system if that user has access to the entire system. Did you give him his own account or are you letting him login as root?

I would give the developer his own account on the box in question, then set his permissions according to what he needed to do.


grieve, thanks for comment. I do realize that there is a way to limit developer's access, but it requires some in-depth knowledge, and a little mistake will render whole setup insecure. SSH at a minimum does require user to have read access to ssh binaries and necessary libraries, as well as temporary directory, etc.

The paradigm I wanted to follow is: only allow developer access to the web share. Understandably, the SFTP/SCP server piece, spawned on the web server itself will need above mentioned access to /bin, /tmp and thers, but it doesn't necessarily has to pass this to the client. It will leave us with "what if sftp gets hacked" issue, but this I could deal with.

The user doesn't need direct access to the ssh binary. The deamon sshd is run under root, and only allows the user to login to the machine. Once they are logged in they will only have access to what is normally allowed them. Mistakes can give them more access, but errors in any of the choices can.
@galets - you should comment on an answer rather than add a new answer. These answers can get reordered as they're voted up/down whereas comments stay attached to the answer
+1  A: 

I am sorry, but I don't understand what the problem is with creating a user, changing their shell, and granting them only SFTP access on the system. I've done that in the past to allow web developers access ONLY to upload files on the system, and it has worked spotlessly. On Windows, I tend to use WinSCP to upload files via SFTP (it can also do normal FTP, and SCP).


ayaz, my point was (and the URL you provided confirms that):

Re: How to restrict users to SFTP only instead of SSH Posted by Anonymous (128.208.xx.xx) on Mon 17 Sep 2007 at 21:16
None of these solutions prevent a guest sftp user from traversing the filesystem outside of their home directory. For that, you'll need some method of chrooting the sftp-server to some directory (maybe the guest user's home directory).