Setting up a SFTP Server on Windows

by Tom Mullaly on July 26, 2013

I recently had to create an SFTP server on our work development system, and after doing a fair bit of Googling on the topic found a good solution. The solution is a combination of research done at differnt sites. It is this solution that I am sharing in hopes that it will help someone else.

This tutorial will help you turn your Windows based system into a SecureFTP server.

Background

Secure Shell (SSH) is a program that lets you log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels. When using ssh, the entire login session, including transmission of password, is encrypted and therefore is very secure.

You may have noticed that many webhosts allow ssh access. This means that you can login to their webserver and execute many UNIX commands (the ones they allow you access to) on your account. Not only can you connect to other computers that provide SSH access, but you can also allow others to connect to your computer using SSH.

To take this one step further, you can also turn your Windows PC into a Secure FTP (SFTP) server. SFTP is a program that uses SSH to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in clear text over the Internet. It is similar to FTP, but because it uses a different protocol, you must use a FTP client that supports SFTP (more about that later).

Installing SSH on Windows

Most UNIX based systems (Linux and OSX) come with SSH preinstalled, so connecting to a remote host is very easy. However, if you run a Windows system, you need to download some additional software to make the SSH programs available to you. Fortunately a free open-source project called SSHWindows, provides a nice Windows installer that will setup the SSH client and Server on your system.

Your first step will be to download the Binary Installer Release from SSHWindows. Once downloaded, run the installer and be sure to install both the client and server components.

Configure the SSH Server

In this next step, I have summarized the information that is included with the readme.txt that is included with SSHWindows (it can be found in c:\program files\openssh\docs)

Your first configuration step is to set up the passwd file. You will need to set up the passwd file before any logins can take place.

Passwd creation is relatively easy and can be done using two programs that are included with SSHWindows – mkgroup and mkpasswd. Both of these programs are located in the c:\program files\openssh\bin directory.

To begin creating the group and passwd files, open a command prompt window and navigate to the c:\program files\openssh directory.

You must first create a group file. To add all local groups on your computer to the group file, type the command as shown below:

mkgroup -l >> ..\etc\group

You will now need to create a passwd file. Any users in the passwd file will be able to log on with SSH. For this reason, it is recommended that you add users individually with the -u switch. To add a user to the passwd file type the command shown below:

mkpasswd -l -u username >> ..\etc\passwd

NOTE: the username specified above must be an existing windows login account.

Creating Home Directories for you Users

In the passwd file, you will notice that the user’s home directory is set as /home/username, with username being the name of the account. In the default install, the /home directory is set to the default profile directory for all users. This is usually c:\documents and settings.

If you want to change this location you will need to edit the passwd file. The passwd file is in plain text and can be edited in Notepad or any text editor. The last two entries for each user are safe to edit by hand. The second to last entry (/home/username) can be replaced with any other directory to act as that user’s home directory. It’s worth noting that when you run SSH on windows, you are actually running SSH in a scaled down version of cygwin, which is a Unix emulator for Windows. So, if you will be placing the user somewhere outside the default directory for their Windows profile, you will need to use the cygdrive notation.

To access any folder on any drive letter, add /cygdrive/DRIVELETTER/ at the beginning of the folder path. As an example, to access the winnt\system32 directory on the *c:* drive you would use the path:

*/cygdrive/c/winnt/system32*

Connecting to your SFTP Server

To connect to your new SFTP server, you will need to download an FTP client that supports SFTP. I use Filezilla which is a nice free FTP and SFTP client. You might also try WinSCP which is another free SFTP client. It is important that the server you wanted to connect to is running SSH.

To test if your server is running, create a new connection in your client and specify SFTP as the server type, 22 as the port, and localhost or 127.0.0.1 as the server name. You will also need to provide the user account and password for any account that you added to your passwd file. Now connect to the server. If all went well, you should see a directory listing where you pointed the home folder to. If not, there are a couple of things to check. Make sure your Windows firewall is set to allow traffic over port 22 and finally double check your passwd file to make sure that the account you added is actually there.

Security

Because SSH allows access to only Windows user accounts, you can restrict access based upon NTFS file permissions. As such, SFTP does not provide for chroot jails (a Unix method for locking a user to his/her home directory). Simply lock down your filesystem for that user, and SFTP will respect that.

Summary

In the end, setting up an SFTP server turned out to be a very effortless task. With a couple of open source programs and a couple of command-line commands, you can up and running in no time at all! Try this link for info on a free mail server on Windows.

I’m aware that a certain percentage of people who get to this page don’t find the info they need. I don’t consider Digital Media Minute an overly commercial site, but I’ve decided to include a link to a product that will help some of those people.

ADDITIONAL READING:
1. Common SSH Commands
2. Open SSH

If you are interested in setting up a secure web server and/or self-hosting, including installing and configuring either IIS, Apache or PWS, router configuration. etc., Click Here.  (Updated: March 02 2012)

Be Sociable, Share!

{ 112 comments }

RJ45

Thank you, I followed the instructions and it’s worked with me

tkc

im unable to change the default directory, it defauts to c:/program files/openssh.

cygwin doesnt work for some reason.

ben

What a great guide that people are still finding a use for 2 years after it was written. Totally easy to set up for someone with average server admin experience.

Vic

So far I finshed reading the readme file and the quick gudie, and I am having some problems getting OpenSSH to work properly:

1) When I am typing mkgroup -l >> ..\etc\passwd I get this message “A domain name is only accepted when -d is given”
Can anyone tell me how do I solve this problem? I typed mkgroup -l and it was able to retreive the local groups, but I cannot find the group file

2) Also is there a way that I can only specify just “one” group to be added to the group file instead of having “all” the local groups being copied to the mkgroup file?

Any help is greatly appreicated. Thank You

joe

guys,
i stuck in the cygwin1.dll, any idea?

Jamal

I am running SSH on Windows 2003 Server. Thanks for your instrctions which helped me a lot.

I would like to block some users only to use SFTP (not SSH). And would like to restrict them to a directory C:\Upload and its sub directories. I would like to block them to view even C:\(even \home, \home\user).

Thanks in Advance.

Pianelli

Having trouble to install the SFTP-Server on Windows. Can anybody help me?

Sofort Kredit

Hi Pianelli, I will try to assist you, its not that hard!

jaysonf

is there a way i can limit a specific users downloads to to a specified number of times?

Ted

FYI, I had to uninstall File and Printer Sharing on the client system before it would work for me.

Go to Control Panel, right click on the connection you are using, and go to Properties. Select the File and Printer Sharing item and click Uninstall.

Floyd Schleyhahn

I just installed your product. However, I am able to connect to it via FireZilla but nothing happens when I try to upload a file to it. Also, is there a way to modify the welcome banner?

Thanks

Floyd Schleyhahn

I should re-phrase what I just submitted–I don’t think I am getting connected:
Status: Connected with BRES_Intranet:22. Waiting for welcome message…
Response: SSH-2.0-OpenSSH_3.8.1p1

Terry

I’m able to connect using ssh however, I can not change my home directory.

I’ve changed the reg default location and the password location and it still only takes me to the root of the ssh program.

Ricky

Great job man, figuring out the semantics for all those little details can be time consuming. Thank you!

Kumar

Thank you so verymuch. This was really helpful. Excellent narration. It worked on the first try itself.

Beardo

Anyone else tried this on vista x64? Thoughts would be appreciated but I’m guessing it’s terminal until a compatible version is released.

The opensshd service remains ‘starting’. It times out with error 1053 – did not respond in a timely manner.

Event viewer showing:-

Log Name: Application
Source: Application Error
Date: 03/06/2007 11:36:35
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: captaincaveman
Description:
Faulting application cygrunsrv.exe, version 0.0.0.0, time stamp 0×40826252, faulting module cygwin1.dll, version 1005.10.0.0, time stamp 0x40b3fbf6, exception code 0xc0000005, fault offset 0×00092802, process id 0x139c, application start time 0x01c7a5cb0f25a2df.
Event Xml:

1000
2
100
0×80000000000000

2815
Application
captaincaveman

cygrunsrv.exe
0.0.0.0
40826252
cygwin1.dll
1005.10.0.0
40b3fbf6
c0000005
00092802
139c
01c7a5cb0f25a2df

Daniel

I have tried and tried but I can’t get this to work.

It installs and seems to configure properly.
I can connect (I get the connection message), but it will not authenticate.
I then tried another commercial SFTP server on trial and I get the same thing!

I’ve spent hours and hours on this but I can’t figure out what’s wrong.

Please help!

Dave

Installed and configured Openshh on Windows 2003 sbs server, works well from inside and outside access but with an issue.

Issues:
used /cygdrive/E/public on passwd file to point to the users public folders but it does not work. All users login defaults to the c:\program files\openssh\etc folder.

Any idea on how I could fix the issue?

Many Thanks!

Dave

Nevermind! I fixed it!

Thank you for a great blog.

Dave…

Kiki

Dave,

How were you able to fix the issue of login defaulting to the “c:\program files\openssh\etc” folder and not being able to change directory from there? I’m having the same issue. Please help…

Debbie

Followed intructions, service does not install or start.
Password file and group file created, no problem.
I do not see any solutions for my problem in the blog.
Any ideas?

Blackholesun

Hi Beardo,

Were you able to successfully install and run OpenSSH server on Windows Vista? I am facing the same issue, the service simply won’t start. I have tried it on Windows Vista Business and Windows Vista Enterprise Editions (32-bit), but no luck

I was able to start the service on Vista by starting the service in XP Compatibility mode, but I was not able to connect to it then. Though the services window shows it as started but nothing happens, no connection, no authentication just nothing.

Please let me know if you have (or someone else) any solution to this issue. I desperately need it to run on Vista since my application is dependent on it.

Regards

Mac

Once I log in, it goes to c:\program files\openssh\etc folder. Is there a way that I can force it to be another default directory?

Mac

Found the answer to my own question. If you have the username as the folder name in your ‘Documents and Settings’ folder, then it will go into that folder. If it can’t find that folder with that username, then it will default to the ‘c:\program files\openssh\etc’ folder.

Will

I’m getting an ‘Access Denied’ response when I try to change the Password & Group files. Respectivley, I get the same issue when I try to connect ‘Authentication Failed.’ Someone help.

dipak

thank’s ….it was great ..i was able to creat my sftp server but one problem …how to restrict the user to one directory so that he can’t browse the root directory ….please help me …..

Marcel

I have Problems to install the SFTP-Server on Mac. Can anybody help me?

Tim

I am not able to change the directory path. I edited the passwd file to /cygdrive/h/web and still getting into the openssh directory when I connect. Any help would be appreciated. Thanks!

Will

Any ideas on why I get and “Access Denied” response when trying to login or change passwd/Group files?

———————————————

Will said on July 10th, 2007 at 4:26 pm
I’m getting an ‘Access Denied’ response when I try to change the Password & Group files. Respectivley, I get the same issue when I try to connect ‘Authentication Failed.’ Someone help.

dumdum31

LOL. Just use FileZilla server app. It supports setting up a SFTP Server. ANd its a point-click process. Alternatively, you could use Serv-U FTP server. They are both excellent free FTP – SFTP server apps.

dumdum31

dumdum31,

Don’t know what your definition of “free” is, but Serv-U definitely is not. It’s a commercial program with a 30-day trial demo. Hardly “free.”

Bill Nelson

cannot connect from remote pc unless,,,and this is odd,,unless the remote pc is connected by telephone modem to anyone else. I tried from one remote pc, in house, to the server, can’t connect. Dialed a customer’s modem with the remote pc, connected, was able to establish the SFTP connection to the server from the remote. ??

CoreyH

Just wanted to thank you for the instructions. Worked like a charm!

CoreyH

Jim Ciallella

I wasn’t able to get the Windows share drive to work by using either the /cygdrive/F syntax or by changing the Windows registry key HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/home to a drive letter path like F:\, as one would think from the Readme.txt

Instead open the Windows Registry Editor by typing regedit in the Start->Run box.

Then browse to the key HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/home
You can now double-click the “native” value and change it to something like \\servername\foldername . This is the same path you(d) enter when creating a Windows share drive. Once you’ve done this be sure to close any existing SFTP or SSH connections and then reconnect and try to visit /home.

(NOTE: do not type the double-quotes, they are included only for clarification)

You can also create new alias by adding another key to the Windows registry under \mounts v2\ Right-click on \mounts v2\ and select New->Key. Name the key something you want, like “\sharepath” Highlight the new “\sharepath” key. Right-click on it and select New->Dword. Name it “flags”. Double-click “flags” and enter the value “a”. Right-click on “sharepath” and select New->String. Name this “native”. Double-click the “native” value and enter the path you want, this can be anything like “C:\Somefolder” or “\\somecomputer\somefolder”

Jim Ciallella

Clarification. Any new registry keys would have to be of the form “/sharepath” (notice the frontslash, not a backslash as I wrote above). Again, the quotes should not be typed.

Chan

How do I set up locks using ACLs

Matt

to those who receive this type of message:

Status: Connected with BRES_Intranet:22. Waiting for welcome message…
Response: SSH-2.0-OpenSSH_3.8.1p1

this happens when you only specify the port, not the protocol when making the connection. if you are using filezilla, instead of using a quick connection, you need to create a new connection and indicate the type as SFTP. in Filezilla do the following:

File
Site Manager…
New Site (name it something) then in the Site Details:

host name = yoursite
port = 22
Servertype: SFTP using SSH2
Logontype: Normal supply the credentials you setup earlier.

Save and Exit.

Now on the main screen, click the new site to connect to (icon below File & Edit)

*profit*

Matt

can someone help with the proper way to indicate a home folder where the folder name has a space in it?

example:

C:\NEW FOLDER\TEST = /cygdrive/c/NEW FOLDER/TEST:

the above does not work.

Lukas

Thanks for your instructions.
It works fine.

Best regards.
Lukas

Karl Kani

Thank you for this useful tutorial!

Greetz Karl

ck

I am having hard time in starting service on Vistal Ultimate. I get follwing errors.

‘Error 1067 : The process terminated unexpectedly’
and Vista alerts saying
‘cygrunsrv.exe’ has stopped working.

Service is configured to run under ‘Local System’.

I tried changing service logon user to “Administrator’ still doesn’t work

I appreciate any help

Thanks
CK

Bas

Works fine! Thanks!
The only thing you haven’t mentioned is that at the end user should run “net start opensshd” to start SFTP server.
Cheers

adam

i see you can make it just do the ssh shell and not sftp can you do do the reverse! just give user sftp access!

excellent program so easy to configure :)

Benji

I was having authentication issues and I finally figured it out. My account name had a space in it I.E. John Smith. To properly ad the user to the passwd file I had to do:

mkpasswd -l -u “Benji Park” >> ..\etc\passwd

Then in winscp set username to Benji Park (no quotes) and I logged in fine.

When I tried to add the user without the quotes I would get the “A domain name is only accepted when `-d’ is given” error. To know what the name of your account is you can find it by right clicking on “My Computer” and selecting “manage”. Navigate to “Local Users and Groups” then “Users”. You will see “name” and “full name” for accounts. For openssh “name” is the only thing to pay attention to.

Hope this helps someone.

Dimitry

For those of you that are interested in locking down the shell and only allowing scp and sftp, there is an easy solution. Just disable all access to cmd.exe, for the account that is being used to log into the ssh/sftp/scp. This file is in the system32 folder.

Brian

Worked well for me. If you are forwarding a port through your router, make sure that you are forwarding from “all” ports to port 22 using TCP. You can’t go from 22 to 22 only. Not sure why this is the case.

Ahmed Waqas

Hi,

very good doc

Dwayne

I’m having OpenSSH problems. With putty, I’m attempting to log in with the username that I use for my PC and get a return of “Access Denied”.

How do I ensure I have my passwd setup correctly. When I attempted to properly add my username to the passwd file in cmd, it returned that the user name could not be found.

Can anyone assist?

ttest

follow the video instruction above. user account is the windows account you have or will need to setup. before using sftp client program, turn on the OpenSSH service by starting it. account/username is the username you created using the command earlier. Password is the windows user account password under that username.

if you were able to connect locally and not remotely, it could be the firewall. go to Network Connections –> local area connection –> Advanced –> Setting –> Exception tab –> Add port 22.

Steve

We wan’t to run a SFTP server on a windows 2003 Enterprise Edition in CLUSTER ! Does anyone know which application can be installed in a cluster environment to offer SFTP? Thanks. Steve

Comments on this entry are closed.

Previous post:

Next post: