HOWTO: SFTP only on your Debian server

This is a guide to configuring your Debian GNU/Linux system for SFTP. Most of this guide applies to other distributions as well. I put it together because I thought most guides were less than satisfying.

Why do we want SFTP? In my case, I wanted a friend of mine to be able to upload some web pages onto my web server without giving him full shell access. I didn't want to install any extra services, possibly opening my system up for attack. I like having as few number of services running as possible. You should too.

There have been a number of solutions for having users only capable of SFTP. scponly is one example, which have been subject for a number of exploits in the last couple of years, and is required to run setuid root. I don't need to tell you why this is bad.

With OpenSSH 4.9 we now have support for a chroot jail by default. This article describes how I configured it. Nothing particularly hard, but I did have to do some research to get it working. There are a few caveats but it's pretty straightforward. When we're done we'll have our users chrooted into /home/user with SFTP only access. Ok, lets go!

First, we want to add a group which will contain all users that will be chrooted:

sudo addgroup sftponly

Next, add all users you want chrooted to this group:

sudo adduser user sftponly

Add this last in your /etc/ssh/sshd_config:

Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

You also need to find and change the line in sshd_config indicated below so it reads like the uncommented line below:

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

The target chroot directory needs to be owned by root:root and be read-only by everyone except root. (More about WHY this is can be found here.) In a default Debian GNU/Linux install, if you want to chroot the user to a path below /home, you first need to remove the setgid bit from /home (if you're like me, you're wondering why /home is setgid in the first place)

sudo chmod g-s /home

Next, create the user directory and set up permissions as such:

sudo mkdir -p /home/user/incoming
sudo chown root:root /home
sudo chown root:root /home/user/
sudo chown user:user /home/user/incoming

Set the users home directory to be /incoming inside the chroot.

sudo usermod -d /incoming user

DONE! You should restart your sshd and confirm the result:

sudo /etc/init.d/ssh restart

sftp user@host

Debian tor + privoxy

$ cat /usr/share/doc/tor/README.privoxy
Tor only provides TCP layer anonymity.  It does not do any protocol
cleaning, so if you are going to browse the web you still give away a
lot of information to servers.

The privoxy package provides a privacy enhancing HTTP proxy, which
is good at filtering headers, cookies, and much more.  To view the
description of the Debian privoxy package just run "apt-cache show
privoxy".  Please refer to the privoxy documentation for more details.

In order to use privoxy over tor, add the following line to your
privoxy configuration file:
        forward-socks4a / localhost:9050 .
(the dot is important)

Then configure your browser to use privoxy as its HTTP proxy.

--
Peter Palfrader , Tue, 17 Feb 2004 02:15:36 +0100

How to fix apt key problems

gpg --keyserver hkp://wwwkeys.eu.pgp.net --recv-keys 07DC563D1F41B907
sudo gpg --armor --export 07DC563D1F41B907 | sudo apt-key add -

Replace 07DC563D1F41B907 part with the part apt is complaining about.

How to write en dash

dash:    -
en dash: –
em dash: —

Prefer en dash with space to the longer em dash, because that's what most publishers do.

To write en dash in xorg, hit the following keys:
* Ctrl-Shift-u
* 2013
* enter

Tar + SSH

This would be the best way to recursively copy a directory over SSH.

tar cf - dir/ | ssh host.com tar xf -

Steps to make encfs work on Debian GNU/Linux

Compile or install a kernel with support for FUSE (found in `make menuconfig` under Filesystems).

sudo apt-get install fuse-utils
sudo vigr && sudo vigr -s # add yourself to the fuse group
su - `whoamì` # alternatively you can logout and login again
              # to update your group
mkdir $HOME/.crypt $HOME/crypt
encfs $HOME/.crypt $HOME/crypt

Answer the questions (pass phrase etc), go with default settings in most cases.

DONE!

NTFS on Linux

Use ntfs-3g to get good support for read/write on NTFS. FUSE is required.

Out Amarok, In Songbord

I've been looking for a replacement for Amarok. I don't like the idea of depending on KDE software unless I really need to.

I've settled for the really nice Songbird, which has a very active development team (blog) and is based on Mozilla (xulrunner). For me, it's perfect. I have a fairly large music library and it's nice to once again have the ability to discover it. One big playlist is actually a huge advantage compared to Amarok's design where your playlist consists only of a small, manually selected subset of your music collection. I know there are dynamic playlists in Amarok and blah, blah, but those features just didn't cut it for me. Plus it's nice to see there are quite a few plugins for Songbird.

It's not faster than Amarok but it's not slower either. There are a few bugs, most notably one regarding handling of symlinks in watch directory. I guess it'll be fixed in due time.

Unfortunately, it's not packaged for Debian GNU/Linux yet. You can still download it and run it from your home directory though. I urge you to try it out!

Get songbird.