SFTP does not have the same anonymous access method as FTP, but it is possible to enable anonymous access without authentication.
The SFTP protocol works over the SSH2 transport layer, and authentication is also done using SSH2 protocol. SSH Tectia Server can be configured to allow a named user, for instance "anonymous", to log in without any authentication. It is also possible to restrict the login to a certain range of IP addresses, or to a certain interface on the server (see server admin manual for details).
It is possible to restrict the access for this user by chrooting the sftp session and denying terminal, command, and tunneling access. The user's ability to download and upload files depends on the operating system level permissions on files and directories. If upload is permitted, it is recommended to have the directories with write access on a separate file system, so that it is not possible for the anonymous user to harm the system by filling up file systems that are used by the system or by other users.
Here is an example of setting up anonymous access:
Create user account "anonymous" if it does not already exist:
useradd -m -d <homedir> -s <shell> anonymous
where <homedir> is the place that you want the anonymous users to have access to, and <shell> could be something that is not a login shell, like /bin/false. If you are going to enable write access for anonymous users, you might want to have the <homedir> on a partition of its own.
Check what files you have in the anonymous user's home directory and what files should be there, and that the permissions are what you want them to be.
For example, if you want to make this read-only, you could change the ownership of the files to someone else, e.g. root:
chown -R root:root ~anonymous
If you want to give some directories write access, change ownership of those to "anonymous".
Modify ssh-server-config.xml so that you have something like the following in the beginning of authentication-methods and services blocks:
<!-- This will allow "anonymous" user to log in without authentication. -->
<authentication name="allow-anonymous" set-group="anonymous-user">
<user name="anonymous" />
<!-- ... other authentication elements -->
<!-- ... possible group definitions ... -->
<!-- anonymous user is allowed to use sftp only -->
<rule group="anonymous-user" idle-timeout="600">
<terminal action="deny" />
<subsystem type="sftp" application="sft-server-g3"
<command action="deny" />
<tunnel-local action="deny" />
<tunnel-remote action="deny" />
<!-- ... other rules -->
<!-- default rule comes AFTER the rule for anonymous user! -->
Note that the rules are processed in order, and first matching rule is used. The default rule that matches all users should be the last one.
Restart Tectia server to take the new configuration into use
Test carefully that the chrooting works, file ownership and permissions are set correctly, that anonymous user can not do anything that he should not be able to do, and that other users have access to the services they should.
Feb 24 '10 at 12:13
SSH KB ♦