Ssh Enable Sftp

by



Ssh enable sftp

Recently, Microsoft has released a port of OpenSSH for Windows. You can use the package to set up an SFTP/SSH server on Windows.

  • Installing SFTP/SSH Server
  • Connecting to the server

Advertisement

Here are the standard options specific to sftp (SSH/SFTP Connection). Leave blank or set to false to enable hashing (recommended), set to true to. Enable Example: Step1 Deviceenable configure terminal Entersglobalconfigurationmode. Example: Step2 Device#configureterminal ip ssh source-interface interface-type DefinesthesourceIPfortheSSHsession. Interface-number Step3 Example: Device(config)#ipsshsource-interface GigabitEthernet1/0/1 Exitsglobalconfigurationmodeandreturnsto privilegedEXECmode.

  • In Settings app, go to Apps > Apps & features > Manage optional features.
  • Locate “OpenSSH server” feature, expand it, and select Install.

Binaries are installed to %WINDIR%System32OpenSSH. Configuration file (sshd_config) and host keys are installed to %ProgramData%ssh (only after the server is started for the first time).

You may still want to use the following manual installation if you want to install a newer version of OpenSSH than the one built into Windows 10.

  • Download the latest OpenSSH for Windows binaries (package OpenSSH-Win64.zip or OpenSSH-Win32.zip)
  • As the Administrator, extract the package to C:Program FilesOpenSSH
  • As the Administrator, install sshd and ssh-agent services:
  • Allow incoming connections to SSH server in Windows Firewall:
    • When installed as an optional feature, the firewall rule “OpenSSH SSH Server (sshd)” should have been created automatically. If not, proceed to create and enable the rule as follows.
    • Either run the following PowerShell command as the Administrator:
      Replace C:System32OpenSSHsshd.exe with the actual path to the sshd.exe (C:Program FilesOpenSSHssh.exe, had you followed the manual installation instructions above).
    • or go to Control Panel > System and Security > Windows Defender Firewall1 > Advanced Settings > Inbound Rules and add a new rule for port 22.
  • Start the service and/or configure automatic start:
    • Go to Control Panel > System and Security > Administrative Tools and open Services. Locate OpenSSH SSH Server service.
    • If you want the server to start automatically when your machine is started: Go to Action > Properties. In the Properties dialog, change Startup type to Automatic and confirm.
    • Start the OpenSSH SSH Server service by clicking the Start the service.

These instructions are partially based on the official deployment instructions.

Follow a generic guide for Setting up SSH public key authentication in *nix OpenSSH server, with the following difference:

  • Create the .ssh folder (for the authorized_keys file) in your Windows account profile folder (typically in C:Usersusername.ssh).2
  • For permissions to the .ssh folder and the authorized_keys file, what matters are Windows ACL permissions, not simple *nix permissions. Set the ACL so that the respective Windows account is the owner of the folder and the file and is the only account that has a write access to them. The account that runs OpenSSH SSH Server service (typically SYSTEM or sshd) needs to have read access to the file.
  • Though, with the default Win32-OpenSSH configuration there is an exception set in sshd_config for accounts in Administrators group. For these, the server uses a different location for the authorized keys file: %ALLUSERSPROFILE%sshadministrators_authorized_keys (i.e. typically C:ProgramDatasshadministrators_authorized_keys).

Before the first connection, find out the fingerprint of the server’s host key by using ssh-keygen.exe for each file.

In Windows command-prompt, use:

Replace %WINDIR%System32 with %ProgramFiles%, if appropriate.

In PowerShell, use:

Replace $env:WINDIRSystem32 with $env:ProgramFiles, if appropriate.

You will get an output like this:

Start WinSCP. Login dialog will appear. On the dialog:

  • Make sure New site node is selected.
  • On New site node, make sure the SFTP protocol is selected.
  • Enter your machine/server IP address (or a hostname) into the Host name box.
  • Enter your Windows account name to the User name box. It might have to be entered in the format user@domain if running on a domain.
  • For a public key authentication:
    • Press the Advanced button to open Advanced site settings dialog and go to SSH > Authentication page.
    • In Private key file box select your private key file.
    • Submit Advanced site settings dialog with the OK button.
  • For a password authentication:
    • Enter your Windows account password to the Password box.
    • If your Windows account does not have a password, you cannot authenticate with the password authentication (i.e. with an empty password), you need to use the public key authentication.
  • Save your site settings using the Save button.
  • Login using Login button.
  • Verify the host key by comparing fingerprints with those collected before (see above).

Advertisement

If you cannot authenticate to the server and use Windows 10 Developer mode, make sure that your OpenSSH server does not conflict with an internal SSH server used by the Developer mode. You may need to turn off the SSH Server Broker and SSH Server Proxy Windows services. Or run your OpenSSH server on a different port than 22.

  • Guide to Installing Secure FTP Server on Windows using IIS;
  • Guide to uploading files to SFTP server;
  • Guide to automating operations (including upload).
  1. Windows Firewall on older versions of Windows.Back
  2. Windows File Explorer does not allow you to create a folder starting with a dot directly. As a workaround, use .ssh., the trailing dot will allow you to bypass the restriction, but will not be included in the name.Back

Enable WordPress SFTP Updates

UPDATED: August 2017.

I’ve learned a lot since I wrote this post. I realize the naivety of having the ability to install software on the server but not being able to update the files through CLI. Like I said: I have learned a lot. There has been some rewording, better formatting and additional information added to this post but it is essentially left as it was – even though it’s slightly embarrassing for me to let people know I once worked so inefficiently.

Enable

When you are updating WordPress, or any themes and plugins you might be asked for access credentials, like FTP details. FTP is not the only connection method offered – if your server has the ability it might also give the option to use SFTP with username and password – or even with a private/public key pair.

There are a number or reasons WordPress might ask for credentials to install something or perform an update. The most common is inconsistent file permission and executing files as a user that doesn’t own them. The server user may execute the files as apache but apache may not have permission to overwrite files created or owned by your FTP user. Inconsistent file permissions paired with mismatched usergroups and can result in all kinds of nightmares.

Performing Updates Without Username And Password

To allow WordPress to run updates through the dashboard – and, most importantly, perform automated updates when security releases happen – you should make sure that the user running the PHP scripts has permission to read and write the files and directories that it needs to.

Ssh sftp clientSftp

There might be legitimate reasons to have file owner and server user different. Certain security policies may require such configurations (on shared hosts this is employed often). Most of the time you will want WordPress to have permission to modify all, or most, of the files that make up it’s whole installation.

  • An easy way (but the WORST way) to give make this happen is to set file permissions to 777. Owner, Group and Public can execute the files. If the groups are configured correctly 755 would be a better option.
  • Run PHP as the file owner instead of the server user. Another workaround would be to make sure that after uploading files with your user account the owner is changed to the server owner or execution permissions is granted to the user group that you share but that can be a pain to manage on each upload.

Both options would work but the 2nd option is by far the better choice.

WordPress Core Updates via SFTP

If you are prompted for credentials at install or update and want to make sure that the connection is secure you should use SFTP instead of standard FTP. If all you have is the option for FTP you will need to install a small piece of software on the server. If you’re not allowed to install software, or are otherwise unable to get SFTP and SSH enabled for updates, then contact me or leave a comment, and I’ll help you however I can.

Sometimes files are not stored on the machine that they are directly served to the visitor from. When you connect through the dashboard to the backend server you’re not always talking to the same machine. The connection may travel through the internet and in those situations it’s better to connect to the storage location with as secure a connection as possible. SFTP is probably the most secure connection you will be able to make with any kind of standard WP installation.

My initial investigation into this was because I kept receiving the ‘Failed to connect to FTP Server‘ error when trying to run a WordPress Core update through the dashboard on one of my sites. I had double checked the FTP user and password and even created a new user just for this very purpose – but still it failed. Farther testing in showed that no response was being recieved from the connection attempt at all. I was perfectly able to connect using SFTP just like I usually do though.

It turns out the FTP server on this particular server I had configured to use different ports to stave off a brute force attempt. The FTP server was running on non-default ports, which I had long forgotten.

So the situation was: WordPress Core update needing done. The first way of doing so that came to mind was via manually uploading the files through SFTP. Eeek…

I really didn’t like the idea of doing that with over a dozen different WordPress instances so I found a slightly better way. Enable SFTP over SSH in my WordPress install. After a little bit of thought and some searching I found that Jon over at Snowulf had found the exact solution that I was looking for. He even had the exact commands to issue in a shell terminal on my server.

All I had to do was install “libssh2-php” – which is the PHP bindings for libssh2 and restart Apache. It worked a treat and now any time that WordPress needs to update files it can do so with a secure connection the the file server.

Note: Thanks to Chris Barklow who pointed out in the comments that if you’re not logged in as the root user you need to sudo to restart Apache. You might also need it to install packages depending on your security set-up. I’ve updated the commands to show that.

Installing libssh2.php is a piece of cake on Ubuntu, just connect to your server however you like and run these commands:

Ssh Enable Sftp

If you run a distro other than Ubuntu then you should still be able to find ssh2 by searching your package manager for “libssh2“, installing and then restarting Apache.

Next time you see the connection screen you will have the choice of connecting via SSH which will use SFTP. All you need to enter is your username and password, or your key if you have that set up on the server, and treat it the same as the old FTP upload screen provided in WordPress.

Related Articles

Ssh Config Sftp-server

WordPress Theme Development From Scratch – get_template_part()