SFTP access from a page on HTTPS site

I intend to embed an SFTP server into a web page on an HTTPS site. The HTTPS site acts as an ordering portal (essentially I have just set it up as a private eCommerce site.)

I currently use a SolarWinds SFTP server with the desktop client to access files on each end. Is it possible to have a page on the website an access point to the SFTP server where individuals can login, upload and download files? Additionally how would I go about completing this?

The files to be transferred are considered protected, therefore SFTP is the only non-paper method of transfer accepted by the recipient.

SFTP server with storage encryption

I’m looking for an unusual solution that uses SFTP server for data transfer but said SFTP server also should act an encryption proxy i.e. all the data it stores on the server side should be encrypted. Although I could use host (OS-wide) encryption it is not gonna be effective during runtime if the hoster I use decided to peek at it or will be forced by 3rd party or crappy government.

I did some googling but the only thing I found was: https://github.com/libfuse/sshfs Problem is I dont want no custom clients, I want to hide ANY implementation from the client, it should be just your basic SFTP you can use anywhere, even on your microwave, let alone phone or notebook.

This variant: https://serverfault.com/questions/887167/sftp-with-data-encryption-at-rest seems useable but again, at runtime it only protects against other normal users (which I dont have).

How does WP do auto-updates with SFTP?

Basically, I don’t understand ‘who does what’ in an auto-update, and why wp-config.php requires a private key on the server (as FTP_PRIKEY) – could somebody please fill in the details for me?

Background – I’m implementing auto-update on an old bare-metal site. I’ve set up sftp on the server, and I’ve tested it from a (Linux) client, and it works. On the client, I generated a public/private key pair, in the usual place (~/.ssh). I then copied the client’s public key to the server. Everything now works when I run the sftp program on the client – I can ‘log in’ to the server, I can see the WordPress files and directories on the server, and so on. Note, of course, that the server only needed the client’s public key.

Now I’ve reached the next step, which is to enable sftp on WordPress. To do this, I need to set the ftp-related keys in wp-config.php. Here’s the problem: these keys (FTP_PRIKEY/FTP_PUBKEY) appear to be a server public/private pair, while I expected that WordPress would only need to know my client’s public key. Why does the server need a key pair, and what does it do with them? Does it actually initiate sftp transactions to another client somewhere? It’s obviously not my client, since my client is not running an sftp/ssh server. So where do I copy the server’s public key to?

Thanks.

Limited user with SFTP access

I have created a user with nologin permission but when in sshd_config file i add Match group with new created group i.e sftp and restart the sshd_service it shows me error of “Match group” clause .I am using RHEL 5.7 and no luck in finding any relavant answer.PFB sshd configuration.

This is the sshd server system-wide configuration file. See

sshd_config(5) for more information.

This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

The strategy used for options in the default sshd_config shipped with

OpenSSH is to specify options with their default value where

possible, but leave them commented. Uncommented options change a

default value.

Port 22

Protocol 2,1

Protocol 2

AddressFamily any

ListenAddress 0.0.0.0

ListenAddress ::

HostKey for protocol version 1

HostKey /etc/ssh/ssh_host_key

HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval 1h

ServerKeyBits 768

Logging

obsoletes QuietMode and FascistLogging

SyslogFacility AUTH

SyslogFacility AUTHPRIV
LogLevel INFO

Authentication:

LoginGraceTime 2m

PermitRootLogin yes

StrictModes yes

MaxAuthTries 6

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile .ssh/authorized_keys

For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

RhostsRSAAuthentication no

similar for protocol version 2

HostbasedAuthentication no

Change to yes if you don’t trust ~/.ssh/known_hosts for

RhostsRSAAuthentication and HostbasedAuthentication

IgnoreUserKnownHosts no

Don’t read the user’s ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

To disable tunneled clear text passwords, change to no here!

PasswordAuthentication yes

PermitEmptyPasswords no

PasswordAuthentication yes

Change to no to disable s/key passwords

ChallengeResponseAuthentication yes

ChallengeResponseAuthentication no

Kerberos options

KerberosAuthentication no

KerberosOrLocalPasswd yes

KerberosTicketCleanup yes

KerberosGetAFSToken no

GSSAPI options

GSSAPIAuthentication no

GSSAPIAuthentication yes

GSSAPICleanupCredentials yes

GSSAPICleanupCredentials yes

Set this to ‘yes’ to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will

be allowed through the ChallengeResponseAuthentication mechanism.

Depending on your PAM configuration, this may bypass the setting of

PasswordAuthentication, PermitEmptyPasswords, and

“PermitRootLogin without-password”. If you just want the PAM account and

session checks to run without PAM authentication, then enable this but set

ChallengeResponseAuthentication=no

UsePAM no

UsePAM yes

Accept locale-related environment variables

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL

AllowTcpForwarding yes

GatewayPorts no

X11Forwarding no

X11Forwarding yes

X11DisplayOffset 10

X11UseLocalhost yes

PrintMotd yes

PrintLastLog yes

TCPKeepAlive yes

UseLogin no

UsePrivilegeSeparation yes

PermitUserEnvironment no

Compression delayed

ClientAliveInterval 0

ClientAliveCountMax 3

ShowPatchLevel no

UseDNS yes

PidFile /var/run/sshd.pid

MaxStartups 10

PermitTunnel no

ChrootDirectory none

no default banner path

Banner /some/path

override default of no subsystems

Subsystem sftp /usr/libexec/openssh/sftp-server

Subsystem sftp internal-sftp
Match group sftp
ChrootDirectory /sftp/
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Dolphin on SFTP “Communication with the local password server failed”

Apparently every once in a while I get this weird “Communication with the local password server failed” error when trying to access SFTP via dolphin, while Terminal access still works.

While a reboot can temporarily fix that is there a way to fix it permanently or without reboot, like restarting that “Password Server” thing?

Security risks of file shares vs ssh or sftp, in “backward” direction?

I work for a municipal government, using mostly Windows servers. In recent days several similar governments in our geographic area have been attacked, some successfully, by ransomware. So our security folks are alarmed, and have decreed (among other things) no more using SMB file-sharing to upload files from the “internal” network to the DMZ. I have a PowerShell script that does just that, to migrate databases; plus we have many other cases to use file shares such as uploading web sites.

They are saying we need to convert to using SSH or SFTP to transfer files. OK, this would be possible, but it would need setup work on every DMZ server, and changing all our current processes, and for what? (We don’t have enough people to do that plus everything else, although we’ve tried to get more warm bodies budgeted.) Anyway I don’t see how that’s more secure. If DMZ server D is listening on a share, and the firewall prevents access from anywhere but authorized internal workstations or servers A, B, and C, then how can that be any more a security risk (specifically, the risk of malware on server D going back the other way and compromising A, B, or C) than server D listening on an SFTP port or an SSH port, with the same firewall restrictions?

If the issue is something like “the file share is open all the time, but SSH isn’t,” then that would be somewhat understandable, and we might deal with that by mapping and unmapping to the shares when needed. But I don’t think this is their reasoning; I think it’s something else. Actually I get the impression it’s kind of a vague “feeling” on their part, that file shares are inherently and materially less secure, in the “backward” direction, even if firewall-protected as described above. If this is actually so, then why? I just don’t see it. Actually I don’t see why any of those protocols would pose a risk in the “backward” direction.

Mounted SFTP with Dolphin, how to access from command line?

I have mounted an SFTP share using Dolphin, which all works perfectly. However, I would also like to browse these files from the command line.

Pressing F4 in Dolphin to bring up a terminal window just gives me my home directory, and not the remote one. I cannot see the remote mount when running mount.

Is there a way to cd to the SFTP after mounting it in Dolphin, like I could if I had mounted it with sshfs?

What speaks against using a PowerShell PSDrive for SFTP?

When searching for SFTP in PowerShell I find Posh-SSH and WinSCP (see https://stackoverflow.com/questions/38732025/upload-file-to-sftp-using-powershell). Surely working solutions. But when I started looking for SFTP in PowerShell I expected to find a PSDrive. Is the concept of PSDrives not fitting or what might be the reason there is no SFPT-PSDrive? There must be a reason why WinSCP and Posh-SSH took an other approach.