login about faq

An FTP server can be set up for anonymous use, typically using username "anonymous" and the password does not matter. How do I set up Tectia Server for anonymous SFTP access?

asked Feb 24 '10 at 12:04

SSH%20KB's gravatar image


SFTP does not have the same anonymous access method as FTP, but it is possible to enable anonymous access without authentication.

The SFTP protocol works over the SSH2 transport layer, and authentication is also done using SSH2 protocol. SSH Tectia Server can be configured to allow a named user, for instance "anonymous", to log in without any authentication. It is also possible to restrict the login to a certain range of IP addresses, or to a certain interface on the server (see server admin manual for details).

It is possible to restrict the access for this user by chrooting the sftp session and denying terminal, command, and tunneling access. The user's ability to download and upload files depends on the operating system level permissions on files and directories. If upload is permitted, it is recommended to have the directories with write access on a separate file system, so that it is not possible for the anonymous user to harm the system by filling up file systems that are used by the system or by other users.

Here is an example of setting up anonymous access:

  1. Create user account "anonymous" if it does not already exist:

    useradd -m -d <homedir> -s <shell> anonymous

    where <homedir> is the place that you want the anonymous users to have access to, and <shell> could be something that is not a login shell, like /bin/false. If you are going to enable write access for anonymous users, you might want to have the <homedir> on a partition of its own.

  2. Check what files you have in the anonymous user's home directory and what files should be there, and that the permissions are what you want them to be.

    For example, if you want to make this read-only, you could change the ownership of the files to someone else, e.g. root:

    chown -R root:root ~anonymous

    If you want to give some directories write access, change ownership of those to "anonymous".

  3. Modify ssh-server-config.xml so that you have something like the following in the beginning of authentication-methods and services blocks:

      <!-- This will allow "anonymous" user to log in without authentication. -->
      <authentication name="allow-anonymous" set-group="anonymous-user">
          <user name="anonymous" />
      <!-- ... other authentication elements -->
      <!-- ... possible group definitions ... -->
      <!-- anonymous user is allowed to use sftp only -->
      <rule group="anonymous-user" idle-timeout="600">
        <terminal action="deny" />
        <subsystem type="sftp" application="sft-server-g3"
                   exec-directly="yes" />
        <command action="deny" />
        <tunnel-local action="deny" />
        <tunnel-remote action="deny" />
      <!-- ... other rules -->
      <!-- default rule comes AFTER the rule for anonymous user! -->

    Note that the rules are processed in order, and first matching rule is used. The default rule that matches all users should be the last one.

  4. Restart Tectia server to take the new configuration into use

  5. Test carefully that the chrooting works, file ownership and permissions are set correctly, that anonymous user can not do anything that he should not be able to do, and that other users have access to the services they should.


answered Feb 24 '10 at 12:13

SSH%20KB's gravatar image


Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: Feb 24 '10 at 12:04

Seen: 24,242 times

Last updated: Aug 11 '10 at 16:22

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.