4.3 KiB
Overview
FluxSFTP is a regular SFTP server with the following additions:
- custom authentication (virtual users)
- jail directories i.e. limit users to a certain directory
SQLite, PostgreSQL and MYSQL are supported for the database, Authentication can be done either via public key or password, password authentication uses bcrypt hashing with the default cost i.e. 12
Installation
Start by downloading the tarball from the latest release from the releases, then extract the tarball as follows
sudo tar -xzvf flux-sftp.tar.gz -C /
Database
before you can run the server you need to setup a database, SQLite, PostgreSQL and MYSQL are supported. get a database server running or simply create a sqlite database file and configure the server as mentioned in the configuration section. the database table should have a username field, and optionally public key and password for authentication, you can use either one authentication type or both, up to you. the public key field should not store the comment of the public key in the database, and for the passoword it should be hashed using bcrypt with default cost of 12.
Note that registering users must be done manually by inserting records into the database as of now.
User setup
create a user named fluxsftp as follows
sudo useradd -r -s /usr/sbin/nologin fluxsftp
this user needs to own the jail directory, make sure to change ownership of the jail directory you have specified in the config
sudo chown -R fluxsftp:fluxsftp /srv/sftp
When you register a new user make sure to create a directory for them in the jail directory and make sure it is owned by the fluxsftp user
Server Key
generate a key for the server as follows
sudo ssh-keygen -t ed25519 -f /etc/flux-sftp/server_key
also make sure that the server's private key is owned by fluxsftp
sudo chown fluxsftp:fluxsftp /etc/flux-sftp/server_key
Enable and Start
after you have configured the database you can start the server as follows
sudo systemctl start flux-sftp
and if you want enable on startup
sudo systemctl enable flux-sftp
Configuration
The configuration file is located at /etc/flux-sftp/config.toml, here is the default configuration:
[general]
listen_address = "0.0.0.0"
port = 2222
jail_dir = "/srv/sftp"
private_key_file = "/etc/flux-sftp/server_key"
[database]
driver = "sqlite"
path = "/var/lib/flux-sftp/auth.db"
# host = "127.0.0.1"
# port = 3306
# user = "testuser"
# password = "testpass"
# dbname = "testdb"
table = "users"
username_field = "username"
public_key_field = "public_key"
# password_field = "password"
Options
general
listen_addressthe address that the server listens onportthe port that the server listens onjail_dirthe directory that the all the users will be jailed into, each user will be jailed to the directoryjail_dir/{username}, e.g. example_user will be jailed to/srv/sftp/example_userifjail_diris set to/srv/sftpprivate_key_filethe private key for the server, the server will use this to present its identity
database
driverwhich database to use, can besqlite,postgres,mysql. in case of sqlitepathoption must be specified and forpostgresandmysqlthe relevant options to connect to the database must be specifiedpathpath to sqlite db file, only specify if usingsqlitehosthost address for the database, only specify if usingpostgresormysqlportport the database server is running on, only specify if usingpostgresormysqluserdatabase user, only specify if usingpostgresormysqlpasswordpassword for the database user, only specify if usingpostgresormysqldbnamename of the database to use, only specify if usingpostgresormysqltablethe database table to query to get the hashed password or the public_keyusername_fieldname of the database column which stores the usernamepublic_key_fieldname of the database column which stores the public key, if this is not specifed this auth method will be disabled rejecting all requestspassword_fieldname of the database column which stores the hashed password, if this is not specifed this auth method will be disabled rejecting all requests