Setting up SFTP on Windows 2008

Recently, I had a task assigned to me to get SFTP up and running on a Windows 2008 server. I did some Googling and found a few resources, but only by combining the various bits of information was I able to get it up and running. I thought I’d throw it all together into a blog post, in the hopes that it will help someone else out.

Requirements

You will need to download the latest Cygwin package from cygwin.com (there’s a link to setup.exe halfway down the first page). You’ll also need to have administrator access to the Windows 2008 server.

Getting Started

After you’ve downloaded Cygwin’s setup.exe, right-click it and Run As Administrator. Choose to Install from Internet, keep the defaults for Root Directory and Install For All Users and leave the Local Package Directory at the default path. If you’re behind a proxy, you’ll want to use Internet Explorer’s settings, or enter the proxy information. If not, direct connection will work great. Choose a mirror (I chose the one from kernel.org), and click OK for the warning about upgrading Cygwin (since this is theoretically your first time to install it). On the package selection page, type SSH into the Search box, then expand the Net selection. Click on openssh to select the binary package only. Select the required dependent packages on the next screen and wait for the installation to finish.

Configuration

After the installation is completed, find the Cygwin Bash Shell icon (should be on your Start Menu or Desktop), and right-click to Run As Administrator. You’ll see some initial configurations running, then will be presented with a prompt. At the prompt, enter ssh-host-config to get started. You’ll be presented the wizard below. Feel free to answer as I’ve listed, or change as needed.

  1. Should privilege separation be used? <yes>
  2. Should this script attempt to create a new local account ‘sshd’? <yes>
  3. Do you want to install sshd as a service? <yes>
  4. Enter the value of CYGWIN for the daemon <> (this is the service name)
  5. Do you want to use a different name (privileged acct cyg_server) <no>
  6. Create new privileged user account ‘cyg_server’? <yes>
  7. Please enter the password? [your choice]
  8. Reenter the password
  9. Setup is complete. Enter net start sshd at the prompt to start the service.

Users & Groups

By default, all local groups and local users will be added to C:\Cygwin\etc\group and C:\Cygwin\etc\passwd, respectively. You can add additional local groups (created after Cygwin install/sshd configuration by using the following command at the Cygwin Bash Shell prompt:

  • mkgroup -l -g “Group Name” >> /etc/group

You can also add domain-based groups with:

  • mkgroup -d -g “Group Name” >> /etc/group

Add additional local or domain-based users in much the same way:

  • mkpasswd -l -u “username” >> /etc/passwd
  • mkpasswd -d -u “username” >> /etc/passwd

Home Directories

By default, all users you add to the passwd file (or users present during initial configuration), will be mapped to /home/username (within Cygwin Bash Shell), or C:\Cygwin\home\username in Windows.

If you wish to change the home directory for a particular user, then use a text editor to edit the home directory path in /etc/passwd. If you wish to point the user’s home directory to another folder within Windows, then you must use Cygwin’s cygdrive to do so. As an example, the C:\ drive is known to Cygwin as /cygdrive/c. The D:\ drive is /cygdrive/d, and so on. If you want to set the home directory to point to D:\directory, then the appropriate home directory path is /cygdrive/d/directory. Save and close /etc/passwd when you are done.

Testing

If you’ve made any changes to /etc/group, or /etc/passwd, then you’ll want to restart the sshd service for the changes to take effect. If not, make sure you’ve started the sshd service before moving forward with verifying that everything works as expected.

Fire up your favorite SFTP capable client (I prefer FileZilla or WinSCP), and point it towards your new SFTP server. Be sure to use a user whose group exists in /etc/group, and is listed in /etc/passwd.

Comments

  1. It’s an remarkable post for all the web visitors;
    they will obtain benefit from it I am sure.

  2. RScottyH43 says:

    One more thing. [still running as admin] Hmm, so I’ve tried cd’g into /etc/group and /etc/passwd, respectively and I am met with, “-bash: cd: /etc/group: No such file or directory”

    🙁 Will they only exist after creating a group and/or password?

    And one last thing. Just for sanity-sake, here’s a thought: I wish for a group of folks to be able to sftp into the box and use a particular folder/dir. I simply could create a group for them, yes, and then assign the group access to that particular folder, right? So, basically ‘bob’, ‘joe’, and ‘sally’ should be able to sftp and put stuff in folder ‘ftp_here’.

    Thanks in advance.

    • RScottyH43 says:

      Ok. I answered my own question! I now see these files after running mkgroup and mkpasswd. So, now I take it the info contained in these files is pulled from Active Directory?

  3. RScottyH43 says:

    Thanks much for this walk-through!

    Tried different solutions and finally came upon Cygwin, which worked! Although, just a tidbit of info, Cygwin-32 seems to setup as expected vs. Cygwin64, which gave me all sorts of trouble. Also, configuration now asks, “Should StrictModes by used?” Answer ‘yes’, then continue as noted above.

  4. Michael says:

    I am trying to isolate a local user so they can only access their home location with no access to other folders in the root. How can this be done as I am running into so issues trying to do this.

  5. craig88 says:

    Once you get sftp setup you may encounter these problems:
    1) admin user can login but regular users cannot. Is your server a domain controller? :
    http://serverfault.com/questions/159272/cant-login-to-cygwin-sshd-server-with-a-non-administrator-user-account

    2) allow sftp access but not shell access:
    edit /etc/sshd_config and add per user (or group) force command :
    Match User ftpuser
    ForceCommand /usr/sbin/sftp-server -l INFO

    3) restrict your sftp users to only their own directory
    the standard method is with chrootdirectory but that doesn’t seem to work on cygwin
    I don’t have that many users so I set windows security deny permissions for all directories but their own.

    after all that I was wishing i’d tried out this sftp server:
    http://www.coreftp.com/


  6. Kuldeep:

    Hi ,
    I have edited the password file to point to D:\some_directory.
    But still it is pointing to its old home directory.
    Note: I have tried restarting the service, after editing the password file.
    Please help.
    RegardsKuldeep.

  7. Hi ,

    I have edited the password file to point to D:\some_directory.

    But still it is not pointing to its old home directory.

    Note: I have tried restarting the service, after editing the password file.

    Please help.

    Regards
    Kuldeep.

  8. Hi,

    Thanks so much for this “how to”.
    It worked 100% for me.

    Sven

  9. Hello,

    Thank you for psoting this tutorial. well explained. I tried to install SFTP as per your tutorial and am struck after this:
    ————————-
    Find the Cygwin Bash Shell icon (should be on your Start Menu or Desktop), and right-click to Run As Administrator. You’ll see some initial configurations running, then will be presented with a prompt. At the prompt, enter ssh-host-config to get started.
    —————–

    I got the prompt and entered ssh-host-config and it gave me an error “bash: ssh-host-config: command not found”.

    Am unable to proceed from here. Please help.

    Regards

    SNair007iN

  10. Doesn’t Windows 2008 come with a secure ftp solution out of the usage of IIS? Of course, I know it is suppose to be ftps and not sftp but it would provide a similar solution without the need for cygwin. Don’t get me wrong… I love the usage of cygwin. I use them on my on windows systems to allow me to connect to windows boxes with ssh here at home.

  11. Setting up SFTP on Windows 2008 (vmDK) http://bit.ly/bvp5BP

    This comment was originally posted onTwitter

  12. Setting up SFTP on Windows 2008 (vmDK) http://bit.ly/8YVLlp

    This comment was originally posted onTwitter

  13. {Blog Post} Setting up SFTP on Windows 2008 http://bit.ly/dw7IZn

    This comment was originally posted onTwitter

Speak Your Mind

*