- Configure a private DNS server in Docker - Fri, Mar 24 2023
- Store secrets in AWS Secrets Manager - Fri, Mar 17 2023
- Install Windows 10 / 11 22H2 without Microsoft account - Tue, Feb 28 2023
FTPS vs. SFTP
The File Transfer Protocol (FTP) is no longer considered safe for use as it lacks the ability to encrypt data while it is in transit. If you still use FTP over a traditional FTP port number (TCP 21), all your data and commands are transmitted in clear text. Anyone can intercept this server–client communication, which is a big security concern as per modern IT standards. Two alternatives to FTP exist:
- FTPS (FTP over SSL/TLS)—This method is just like the traditional FTP with the added support of a TLS certificate to offer encryption.
- SFTP (FTP over SSH)—This method uses SSH for transferring files, which encrypts the communication by default.
Although both can serve the purpose of transferring files, they are totally different by design. FTPS is not very firewall friendly and is difficult to configure. Thus, I will focus on SFTP in this post.
I am using two VMs in a lab environment for this demo:
- Windows Server 2022—This will work as an OpenSSH server.
- Windows 10—This will work as a client.
I have also installed the FileZilla FTP client in a Windows 10 VM, which will connect to the OpenSSH server using the SFTP protocol. Of course, you can use WinSCP or any other FTP client that supports the SFTP protocol.
Install and configure the SFTP server.
First, log in to Windows Server VM and enable the optional OpenSSH feature. To do so, launch an elevated PowerShell console, and run the following command:
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Installing an OpenSSH server in Windows using PowerShell
The installation was successful if the output includes Online : True. The command will automatically configure the required firewall rule, so there is nothing you need to do manually.
Now use the following command to change the startup mode of the OpenSSH server service (sshd) to automatic and start it at the same time:
Get-Service -Name "sshd" | Set-Service -Startup "Automatic" -PassThru | Start-Service -PassThru
Change the service start mode and start the service using PowerShell
You can see that the service is now running. The main configuration file of the OpenSSH server on Windows is %ProgramData%\ssh\sshd_config, but Windows can also read the configuration from the user profile (%UserProfile%\.ssh\config) if available. Furthermore, it allows you to specify a custom configuration file using the -f switch (e.g., sshd.exe -f "c:\users\administrator\.ssh\custom_config").
Custom SSH port [optional]
By default, the OpenSSH server listens on TCP Port 22. But you can change the port to something else by running the following PS command:
(Get-Content "C:\ProgramData\ssh\sshd_config").replace("#Port 22", "Port 2223") | Set-Content "C:\ProgramData\ssh\sshd_config"
Restart-Service "sshd"
Changing the OpenSSH server port on Windows using PowerShell
The first command replaces the port number with the one you specify in the system-wide configuration file (%ProgramData%\ssh\sshd_config), and the second command restarts the service. The following command can be used to make sure the server is now listening on a new port number:
Get-NetTCPConnection -LocalPort 2223 | select Local*, State,`
@{n="ProcessName";e={(Get-Process -Id $_.OwningProcess).ProcessName}},`
@{n="ProcessPath";e={(Get-Process -Id $_.OwningProcess).Path}} | ft -Auto
Verify the custom port of the OpenSSH server using PowerShell
You can see that the OpenSSH server is now listening on Port 2223.
Allow or deny connections
The OpenSSH server in Windows also lets you control which users or groups are allowed to connect to the server (or denied a connection) using SFTP (and SSH). To do so, you can add the following directives to the configuration file:
- DenyUsers
- AllowUsers
- DenyGroups
- AllowGroups
Note that these directives are processed in the same order as written. By default, the OpenSSH server will allow every local or domain user to connect, but if you want to allow (or deny) a particular user or group, specify that in the configuration file, as shown in this line of code:
AllowGroups testlab\developers testlab\ssh_admins
Remember, these allow or deny directives must come before the Match Group administrators directive, as pointed out in the screenshot; otherwise, it won't work as expected.
Using the SSH configuration file to allow or deny users and groups
Adding the above line inside the SSH configuration file will allow the members of the developers and ssh_admins groups in the TestLab domain to connect, while denying everyone else. It is recommended to specify the account names in lowercase only. Furthermore, to specify a domain account in UPN format, you must replace the @ character with ? to avoid any conflicts with regular Linux patterns. For example, to specify user@domain.com with an allow or deny directive, you must type it as user?domain*.
Connect to OpenSSH server using SFTP
The OpenSSH server is now set to accept connections from the client. Head over to your Windows 10 machine, launch FileZilla, and make a connection to the server with the settings shown in the screenshot.
Connecting to the SFTP server using the FileZilla FTP client
Make sure the protocol SFTP – SSH File Transfer Protocol and the correct SSH server port are specified. When you connect for the first time, you will see an Unknown host key warning. Click OK to trust the host and continue connecting.
The servers host key is unknown. You have no guarantee that the server is the computer you think it is.
You will now be connected to the server using the SFTP protocol, and you can start transferring files.
Using FileZilla client with the SFTP protocol to transfer files
Change the default SFTP directory
By default, you will land in your user profile directory when you connect to the server. However, you can specify a custom directory in the sshd_config file to change the default root directory for SFTP. To do so, open the C:\ProgramData\ssh\sshd_config file on the server in any text editor, and add the following line:
ChrootDirectory "C:\inetpub\wwwroot"
See the following screenshot for reference:
Change the default SFTP root directory in Windows
Restart the sshd service after making this change, and reconnect the server. You will now land in the specified directory (C:\inetpub\wwwroot). This is particularly useful on web servers, where you want users to land directly inside the website's root directory instead of their home directory.
FileZilla FTP client connecting to a predefined root directory in Windows
There are many other settings supported by the OpenSSH server, but covering everything is beyond the scope of this article.
Troubleshooting SFTP connections
If you run into any issues while working with OpenSSH server, you can always view the event logs under Applications and Services Logs OpenSSH, as shown in the following screenshot:
Viewing event logs related to OpenSSH in Windows
The OpenSSH server also supports file-based logging, so if you're interested in that, add the following lines to the SSH configuration file and restart the sshd service.
SyslogFacility LOCAL0 LogLevel Debug3
Enabling file based debug logging using the OpenSSH configuration file
Once you do this, you will be able to view the debug logs in the %ProgramData%\ssh\logs directory. As you can see in the following screenshot, the debug log showed that the user test\john wasn't able to connect to the server because they are not a member of any group specified in the AllowGroups directive.
Subscribe to 4sysops newsletter!
Viewing OpenSSH debug logs to troubleshoot problems
The procedure described here also allows you to connect to a Windows system using the SSH shell, which means that users who can connect using SFTP can also connect using any SSH client (like putty) and run commands. This is why it is very important to allow only a limited number of groups containing trusted people. I hope this guide helped you get started with SFTP as a safer alternative to an FTP server on Windows.
Excellent guide. Thank you. We’re having challenges enabling key based authentication for AD accounts. Do you have any steps to make that work?