SFTP connection to OCI Windows compute Instance

The Secure File Transfer Protocol (SFTP) is a widely used protocol for securely transmitting data across networks. This article delves into the process of establishing SFTP transmissions on Windows servers.

Setting up SFTP on Linux is relatively straightforward in terms of installation and configuration. However, on Windows, the user management aspect differs and requires additional configuration, which will be thoroughly discussed in this article.

For illustrative purposes, I have chosen the Windows Server 2019 Standard platform for this example. Our aim is to establish an SFTP connection using the openSSH tool. OpenSSH serves as a remote sign-in connectivity tool that operates using the SSH protocol. It’s worth noting that OpenSSH might not be enabled or installed by default on Windows platforms. Consequently, we will walk through the steps to enable it in this article.

Login into Windows 2019 machine and click on the Windows icon. Proceed to type “Settings,” which will open the Windows Settings window. From there, select “Apps.”

In the Apps & features window choose “Manage Optional Features”.

The “Manage optional features” window will display a comprehensive list of all the optional packages currently installed on the server. In the provided example, the OpenSSH server is already installed. If it is not installed, you must click on the “Add a feature” link located at the top of the window. Afterward, select the OpenSSH server from the list and proceed by clicking the “Install” button.

OpenSSH feature will get installed by default at C:\Windows\System32\OpenSSH folder.

The openSSH configuration file will be stored in C:\ProgramData\SSH folder. Kindly note ProgramData is a hidden folder in Windows.

You can locate SSH keys and the sshd_config file within the C:\ProgramData\SSH folder. The sshd_config file holds critical configurations that determine the framework’s behavior. Having successfully installed and enabled OpenSSH for SFTP connectivity, it is now time to initiate the OpenSSH service. Navigate to the Services window and proceed to start the service.

At this stage, OpenSSH has been both installed and started. However, it requires configuration adjustments to align with the Windows system. By default, the configuration is set in accordance with the Linux operating system. To make it compatible with the Windows platform, certain parameters need to be modified.

Edit the sshd_config file using Notepad. Ensure that you open Notepad with Administrator privileges; otherwise, you won’t be able to make changes to the file.

Within the sshd_config file, you will find a comprehensive list of parameters, some of which are commented out. Feel free to adjust these parameters in accordance with your specific requirements.

Here are few recommendations on top of default settings.

#AuthorizedKeysFile .ssh/authorized_keys.  this is for Key based authentication. We can comment this to disable key based authentication.

PasswordAuthentication yes  Enable this parameter and mention yes for password based authentication for Windows machine.

#Port 22.  OpenSSH listening port can be changed.

ChrootDirectory C:\SFTP  It denotes the root directory for all users. When a user gets connected via SFTP, he will be landed to this folder.

The “ChrootDirectory” serves as a shared folder for all users. This implies that whenever a user establishes a connection, they will be directed to the ChrootDirectory. As a result, any file transfers made will be directed to this folder — for instance, the C:\SFTP folder mentioned in the previous example. However, this setup can compromise privacy.

The preferred approach is to implement separate ChrootDirectories for each user. In Unix-based environments, individual home folders are allocated for each user, ensuring that when they connect via SFTP, they are automatically directed to their designated home folder. The aim is to replicate this functionality in Windows, effectively creating a distinct ChrootDirectory for every user. This can be achieved through the following steps.

Match User sftp1

AllowTcpForwarding no

ChrootDirectory C:\SFTP1

ForceCommand internal-sftp

Match User sftp2

AllowTcpForwarding no

ChrootDirectory C:\SFTP2

ForceCommand internal-sftp

In the provided example, both “sftp1” and “sftp2” represent Windows users. When they establish SFTP connections, they will be automatically directed to their individual folders. Specifically, the “sftp1” user will exclusively access the “c:\sftp1” folder, while the “sftp2” user will be restricted to the “c:\sftp2” folder.

For testing SFTP connections, you can install an SFTP client. In this case, I’ve opted for the FileZilla client, which can be downloaded from the following link: https://filezilla-project.org/.

Here are the specific details we’ll need:

• Host: For OCI Windows instances, use the Public IP address.
• Username: The username should be set to “opc” (which is the Administrative user in this context).
• Password: Input the corresponding password for the “opc” user account.

Lets transfer a file through sftp and check whether that file stored at ChrootDirectory (c:\sftp) folder.

We could see the file has been transfered via sftp to C:\SFTP folder.