Setting up a SFTP Server on Windows

by Tom Mullaly on July 26, 2013

I recently had to create an SFTP server on our work development system, and after doing a fair bit of Googling on the topic found a good solution. The solution is a combination of research done at differnt sites. It is this solution that I am sharing in hopes that it will help someone else.

This tutorial will help you turn your Windows based system into a SecureFTP server.

Background

Secure Shell (SSH) is a program that lets you log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels. When using ssh, the entire login session, including transmission of password, is encrypted and therefore is very secure.

You may have noticed that many webhosts allow ssh access. This means that you can login to their webserver and execute many UNIX commands (the ones they allow you access to) on your account. Not only can you connect to other computers that provide SSH access, but you can also allow others to connect to your computer using SSH.

To take this one step further, you can also turn your Windows PC into a Secure FTP (SFTP) server. SFTP is a program that uses SSH to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in clear text over the Internet. It is similar to FTP, but because it uses a different protocol, you must use a FTP client that supports SFTP (more about that later).

Installing SSH on Windows

Most UNIX based systems (Linux and OSX) come with SSH preinstalled, so connecting to a remote host is very easy. However, if you run a Windows system, you need to download some additional software to make the SSH programs available to you. Fortunately a free open-source project called SSHWindows, provides a nice Windows installer that will setup the SSH client and Server on your system.

Your first step will be to download the Binary Installer Release from SSHWindows. Once downloaded, run the installer and be sure to install both the client and server components.

Configure the SSH Server

In this next step, I have summarized the information that is included with the readme.txt that is included with SSHWindows (it can be found in c:\program files\openssh\docs)

Your first configuration step is to set up the passwd file. You will need to set up the passwd file before any logins can take place.

Passwd creation is relatively easy and can be done using two programs that are included with SSHWindows – mkgroup and mkpasswd. Both of these programs are located in the c:\program files\openssh\bin directory.

To begin creating the group and passwd files, open a command prompt window and navigate to the c:\program files\openssh directory.

You must first create a group file. To add all local groups on your computer to the group file, type the command as shown below:

mkgroup -l >> ..\etc\group

You will now need to create a passwd file. Any users in the passwd file will be able to log on with SSH. For this reason, it is recommended that you add users individually with the -u switch. To add a user to the passwd file type the command shown below:

mkpasswd -l -u username >> ..\etc\passwd

NOTE: the username specified above must be an existing windows login account.

Creating Home Directories for you Users

In the passwd file, you will notice that the user’s home directory is set as /home/username, with username being the name of the account. In the default install, the /home directory is set to the default profile directory for all users. This is usually c:\documents and settings.

If you want to change this location you will need to edit the passwd file. The passwd file is in plain text and can be edited in Notepad or any text editor. The last two entries for each user are safe to edit by hand. The second to last entry (/home/username) can be replaced with any other directory to act as that user’s home directory. It’s worth noting that when you run SSH on windows, you are actually running SSH in a scaled down version of cygwin, which is a Unix emulator for Windows. So, if you will be placing the user somewhere outside the default directory for their Windows profile, you will need to use the cygdrive notation.

To access any folder on any drive letter, add /cygdrive/DRIVELETTER/ at the beginning of the folder path. As an example, to access the winnt\system32 directory on the *c:* drive you would use the path:

*/cygdrive/c/winnt/system32*

Connecting to your SFTP Server

To connect to your new SFTP server, you will need to download an FTP client that supports SFTP. I use Filezilla which is a nice free FTP and SFTP client. You might also try WinSCP which is another free SFTP client. It is important that the server you wanted to connect to is running SSH.

To test if your server is running, create a new connection in your client and specify SFTP as the server type, 22 as the port, and localhost or 127.0.0.1 as the server name. You will also need to provide the user account and password for any account that you added to your passwd file. Now connect to the server. If all went well, you should see a directory listing where you pointed the home folder to. If not, there are a couple of things to check. Make sure your Windows firewall is set to allow traffic over port 22 and finally double check your passwd file to make sure that the account you added is actually there.

Security

Because SSH allows access to only Windows user accounts, you can restrict access based upon NTFS file permissions. As such, SFTP does not provide for chroot jails (a Unix method for locking a user to his/her home directory). Simply lock down your filesystem for that user, and SFTP will respect that.

Summary

In the end, setting up an SFTP server turned out to be a very effortless task. With a couple of open source programs and a couple of command-line commands, you can up and running in no time at all! Try this link for info on a free mail server on Windows.

I’m aware that a certain percentage of people who get to this page don’t find the info they need. I don’t consider Digital Media Minute an overly commercial site, but I’ve decided to include a link to a product that will help some of those people.

ADDITIONAL READING:
1. Common SSH Commands
2. Open SSH

If you are interested in setting up a secure web server and/or self-hosting, including installing and configuring either IIS, Apache or PWS, router configuration. etc., Click Here.  (Updated: March 02 2012)

Be Sociable, Share!

{ 112 comments }

Dan D.

Thank you kindly for this wonderful step-by-step howto. I second the earlier recommendation that you add a step which reminds users to start the service after following your instructions as it is not running by default.

Anita

Anybody has luck in installing/binding SFTP in clusterd environment. I have one virtual server cluster using two machines

Samer B.

Steve & Anita, it works on clusters, and no luck involved here. Using the manual above, simply note the following:

- since you can’t use a domain account, create the same local account on each cluster node with the same password, and use it to create each passwd file.

Now, assuming the sftp directory is on a shared storage, for ex S:\SharedFtp, also note:

- add OpenSSHd service as a Generic Service resource in the cluster configuration in the same resource group as the shared storage disk and the virtual server IP, with proper dependancy.
- assign proper NTFS permissions to the home directory S:\SharedFtp in EACH node for the local account created on that particular node. Also you should probably deny access to all other drives and folders outside this directory, in each node, for the ftp account created.

If you require clarification, just ask.

Daniel

Make sure you TURN OFF YOUR IIS FTP!

Michael

CopSSH was even easier to install and supports Vista… Customization options from this article carry over as well, e.g. changing the home directory in the passwd file.

Steve Rhoads

How do I run a transaction using a script file? I have tried the following with several variations to no avail.

sftp -b ScriptFile hostname

contents of ScriptFile:
user username_password
ls
quit

ShellDude

If you can read, you can successfully install Openssh with this guide. Sickenly simple install with vast possibilities from an administration perspective.

ShellDude

Steve,

Try using a shellexec tool like plink (it’s part of the putty suite)

SteveC

Regarding restricting a user to a directory like WuFTP does, get openssh-chroot and use a UNIX / Linux box for sftp.

The requirement that you are looking for is called “change root”. WuFTP and openssh-chroot use the same scheme to tell the application to change root the user to their login directory or a parent directory that is part of the home direcotry path.
In /etc/passwd file, for the home direcotory path, an administrator simply adds /./ to the path for the home directory at the point that the user is to be change rooted to…. example: mysql:*:74:74:MySQL Server:/var/empty/./:/usr/bin/sh Note the /./ after empty. When a user then uses the unix pwd command after login in, they will not see /var/empty as their directory path, but / only, thus performing a cd .. will not move their path to /var, they will remain at /var/empty, but the system will not report this path to the user. Any subdirectories under empty will be accessible, but only if the directory permissions allow. If the users login directory is /export/home/thomas, an administrator could enter /export/home/./thomas. When the user logs in and performs a pwd, they will get /thomas as their directory path. Using change root (chroot) is a great way to restrict user access to the contents of a computer system…. the gotcha. When a user is running in a change rooted environment, they cannot access other parts of the system… this means that in order for them to perform minimal functions, you must create an OS type of environment by replicating at the /./ directory level the minimum library and executable files for the user to be able to function on the system, else chances are they will not be able to log into their change rooted account. For an sftp environment, I would also include the sftpsh shell script. This will disallow users from using ssh or scp from logging onto the server is you trying to restrict the user to sftp only. In the above account example, instead of /usr/bin/sh for the shell, you would change this to /usr/bin/sftpsh.

Jason

Thanks, this made installing Open SSH considerably easier. I thought it would take a lot longer, but I was up in minutes thanks to your instructions.

Thanks!

mark

Thanks! The instructions worked OK on Windows 2003 but only when I installed openssh into directory without _SPACES_.

Chris

I installed this on Windows Server 2003. I followed the instructions at the top but got the error (after connecting!):

Fatal: unable to initialise SFTP on server

To solve it, I had to use the domain options:

mkgroup -d >> ..\etc\group
mkpasswd -l -d -u >> ..\etc\passwd

and then restart the ‘OpenSSH Server’ service.

Hope this helps someone..

Comments on this entry are closed.

Previous post:

Next post: