Link to Cygwin Install Notes - goo.gl/mnbYB7
Updated to include better user Restriction Instructions locking user into their Home Directory in SFTP
Updated video on how to install SFTP on a Windows Server using Cygwin OpenSSH for Windows Server 2003, 2008, 2008R2, 2012, 2014, 2016
STEP #0 = Install Cygwin and OpenSSH Files
1) Install files as instructed in this video
2) Note always run all terminals as Administrator when doing the
instructions below
STEP #1 = Create a Windows Users, Groups and User Directories
1) For Example, create windows users sftpuser01, sftpuser02, sftpuser03
2) For Example, create windows group sftp_group
3) Place users in the sftp_group
4) Under windows create the Folder C:\SFTP_ROOT
5) Create a folder for each user, in my case its
a) C:\SFTP_ROOT\sftpuser01
b) C:\SFTP_ROOT\sftpuser02
c) C:\SFTP_ROOT\sftpuser03
STEP #2 = Open Cygwin Terminal Shell install SSH
1) In the Cygwin Terminal Shell type
export CYGWIN='ntsec tty'
chmod 0755 /var
ssh-host-config
Answers to the questions when prompted for from ssh-host-config
===================================================================
a) should strictmodes be used? no
b) Should privilege separation be used? yes
c) New local account 'sshd'? yes
d) do you want to install sshd as a service? yes
e) Enter the value of CYGWIN daemon? sshd
f) do you want to use a different name? no
g) Create a new privileged user account 'cyg_server'? yes
STEP #3 = Create password and Group file
1) Create the Password File and Group File, in the CygWin Termina type
mkgroup [redirect output to] /etc/group
#for local users
mkpasswd -cl [redirect] /etc/passwd
#for domain users
#mkpasswd -d [redirect] /etc/passwd
chmod +rw /etc/group
chmod +rw /etc/passwd
STEP #4 = Edit the FSTAB File system table
1) Some FSTAB Entries for Your Reference
cygwin.com/cygwin-ug-net/using...
2) Use these entries
C:/cygwin64 / ntfs override,binary,noacl 0 0
C:/SFTP_ROOT /home ntfs override,binary,noacl 0 0
C:/cygwin64/bin /usr/bin ntfs override,binary,noacl 0 0
C:/cygwin64/lib /usr/lib ntfs override,binary,noacl 0 0
C:/cygwin64/etc/terminfo /usr/share/terminfo ntfs override,binary,noacl 0 0
STEP #5 = Change the nsswitch.conf file
1) This allows only users in the passwd file to login, otherwise if you
specify "db" it allows users in the Active Directory to log in also
If you want User Login Access to be soley Controlled by PASSWD file not Active Directory
edit the /etc/nsswitch.conf
/etc/nsswitch.conf
Defaults:
passwd: files db
group: files db
db_enum: cache builtin
db_home: /home/%U
db_shell: /bin/bash
passwd: files
group: files
STEP #6 = Now Start the Service
1) Start the Service
net stop sshd
net start sshd
netstat -a
2) Make sure to change the Firewall to allow for port 22
STEP #7 = Restrict users to home dir
0) Allow edit to sshd_config in cygwin terminal
chmod 777 /etc/sshd_config
1) Restrict users to home direct, edit the /etc/sshd_config add the lines below
a) comment out
#Subsystem sftp /usr/sbin/sftp-server
b) paste below the subsystem and match group
Subsystem sftp internal-sftp
Match group sftp_group
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
2) Edit the /etc/passwd file for the user "cyg_server" give it the root id of 0
this is necessary for restricting the user to their own home directory
cyg_server:*:0
3) Append these to /etc/fstab file, this will hid the /cygdrive and /dev folder
after you have restricted the user to the /home directory
/dev /null none bind
none / cygdrive user 0 0
4) Go into Cygwin Terminal assign cyg_server /home this is required
for the restricting of the user to the home directory
chown cyg_server /home
chmod 0755 /home
5) Start the Service
net stop sshd
net start sshd
5 сен 2015