Secure file transfer in linux without SSH?

Question

I want to transfer files between to machines over the internet, in a SECURE way. Both machines have linux (the "server" uses Ubuntu 12 and the "client" uses Mint 14). I DO NOT want to allow ssh to my server, and i want the client to be able to open and read files on server, but it cannot modify/erase things. It's allowed to client copy files to server [or create files there] and copy from server.

I want to share just some directories in my server in the way above explained. Finally, i want to access files in the client in a easy fashion, like GUI mode or something..not using shell, but instead using a windows-like style (like if my remote folder is a local one, but with restrict access as above explained).

Being secure to me means that the connection must be encrypted, and the login could use some private/public key scheme.

What's the best solution for me ? I'm trying to find some SFTP configuration that fits my "specification", but the restriction in access is too "peculiar"...i don't know even if SFTP works without allowing ssh.

Thanks very much for any help...

EDIT: Thanks very very much for your help. I really appreciate this! I will evaluate all answers and try to figure out the best solution. By now, i think creating an user that have restricted access/privileges and allowing ONLY this user to do a SSH/SFTP ultra-secured is the best way..."hacks" to avoid ssh really can make things worse (less-secure). My question is a little bit confusing because my "logic" was a little disturbed. Now i can see more clearly...

@DanilaLadner Did you read the second-to-last paragraph, which talks about SFTP? — ceejayoz, May 07 '13 at 18:58
I want a pony but you can't always get what you want - how about a VPN and some permissions? — Chopper3, May 07 '13 at 19:00
VPN seems like the only sane option here based on what I'm reading but my question is why are you opposed to ssh? It's pretty solid and secure when set up correctly. You can use denyhosts, lock it down a million ways, change default port etc. — egorgry, May 07 '13 at 19:05
@egorgry: Interesting...it's possible to only allow my client [that will be fixed, same pc always!] to do sftp/ssh on my server? By the way, thanks to you all for helping me... — guipy, May 07 '13 at 19:17
The question is confusing. Just a tiny bit of research would find that SCP and SFTP are SSH-based programs. Yet your question asks how to "transfer without SSH", and at the same time you say that you are trying to find an SFTP configuration. — ZaSter, May 07 '13 at 19:58
Please don't crosspost. You've asked this *exact same question* on SuperUser ... — voretaq7, May 07 '13 at 21:30
If you could explain your aversion to [tag:ssh], it may make it easier to suggest an alternative, but [tag:ssh] and [tag:rsync] are likely to be the best possible solution here. — johnsyweb, May 07 '13 at 19:11
@Johnsyweb: No aversion..i'm just paranoic ! :lol: Is there a way to limit the SSH access on my server, and then only my client could do ssh/sftp into it ? — guipy, May 07 '13 at 19:21
@Johnsyweb: It seems that rssh, from the link you've posted, can do part of the job [avoiding ssh login, allow only sftp]. But what about the file restriction access? SFTP can deal with it? Thanks a lot for helping me... — guipy, May 07 '13 at 19:42
`sftp` will have whatever file restriction access you set up with permissions on the filesystem. You can set up `sftp` such that certain accounts require a public key to log in, and can only access the `sftp` subsystem (not a shell). You might also try `ftps`, which is `ftp`'s encrypted big brother. `ftps`+`chroot` would probably work here. — Darth Android, May 07 '13 at 19:44
"Is there a way to limit the SSH access on my server, and then only my client could do ssh/sftp into it?" You mean like a key or strong passphrase? A hacky workaround solution is likely to be far less secure than a properly secured SSH install. — ceejayoz, May 07 '13 at 21:42
Perhaps you're looking for the concept of a "sftp chroot jail"? — Luke, May 07 '13 at 21:53
See also [Allow SFTP but disallow SSH?](http://serverfault.com/q/354615/126632) — Michael Hampton, May 07 '13 at 21:54

score 4 · Answer 1 · answered May 07 '13 at 21:51

The good old File Transfer Protocol (FTP) was invented for transferring files. To use it in a secure way, you can use ftps (which is not sftp, but ftp over ssl) or set up a vpn connection for security.

When I search for vsftpd+ssl, this is the first result which seems like a reasonable starting point.

score 3 · Answer 2 · answered May 04 '16 at 09:03

The following is simple and awesome:

python -m SimpleHTTPServer 8888

This starts a new http file server for current directory. Supposed there is a file named foo in current directory, you can download it like this:

wget http://your.ip.here:8888/foo

score 2 · Answer 3 · answered May 07 '13 at 18:59

2

You could setup a WebDAV file system over SSL.

answered May 07 '13 at 18:59

toppledwagon

4,245
25
15

Isn't webdav an extension of the HTTP protocol? So files on the disk will be owned by webserver user? – Danila Ladner May 07 '13 at 19:15

score 2 · Answer 4 · answered May 07 '13 at 21:47

You can use any protocol, even unencrypted and without authentication. All you have to to is to sign and encrypt your data before you send it:

gpg --armor --local-user senderkey --recipient recipientkey --sign --encrypt cleartextfile

If you are paranoid about login possibilities on the target you can use a combination of

some network event (that does not open a connection) which is logged by Netfilter (iptables)
a wget call which is triggered by the logging and gets the file from some web server (the OpenPGP file probably needs to always have the same name then)

score 1 · Answer 5 · answered May 07 '13 at 19:52

Seems to me you should be able to restrict the user to just sftp by adding a command="..." directive to the users authorized_keys file. We're doing that at $work to restrict some user accounts to just rsync.

There's a wite-up at http://troy.jdmz.net/rsync/index.html that lays out the process for rsync.

score 1 · Answer 6 · answered May 07 '13 at 19:05

1

Try WebDAV. It's my favourite protocol for accessing files on my NAS.

answered May 07 '13 at 19:05

Radoo

111
2

score 1 · Answer 7 · answered May 07 '13 at 21:45

"Is there a way to limit the SSH access on my server, and then only my client could do ssh/sftp into it?"

Sure. A strong password/passphrase or key-based authentication would suffice for this. If you want to further indulge your paranoia, firewall off port 22 except for the IPs that should have access, or add Google Authenticator's one-time-password PAM module for two-factor authentication.

As the industry's gold standard for remote access to servers, properly secured SSH is going to be a lot more secure than a hacky workaround based on the sole requirement of "no SSH".

score 1 · Answer 8 · answered Jul 27 '17 at 20:23

You can use HTTPS protocol. This is simple installation for nginx.

apt install nginx
cd /etc/nginx/ ; openssl req -x509 -newkey rsa:2048 -keyout site.key -out site.crt -days 365 -nodes

vim /etc/nginx/sites-enabled/default 
server {
    listen 443 ssl default_server;
    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;
    ssl_certificate     site.crt;
        ssl_certificate_key site.key;
    server_name _;
    location / {
        try_files $uri $uri/ =404;
    }
}

nginx

After this copy your files to /var/www/html, and download it from server. If you want close access for user use basic auth. If you want to upload files you can create simple PHP-script for it.

Secure file transfer in linux without SSH?

8 Answers8