Installing a SFTP server on an Azure Windows VM

Jul 31, 2019

I recently got the task to add SFTP support to an existing Windows Server machine running on an Azure VM and thought i would share the steps.

There is a great guide at winscp.net which gets us most of the way, paraphrased here:

  • Download the latest OpenSSH for Windows binaries
  • Extract to C:\Program Files\OpenSSH
  • Run install-sshd.ps1 as admin
  • Allow inbound traffic to port 22 (or a custom port):
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH SSH Server' `
 -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
  • Add the same firewall rule to the Azure VM
  • Start the Windows service OpenSSH SSH Server and configure automatic start

We are now up and running and you should be able to connect with an existing Windows account. However, you end up in the users home directory and you can browse to e.g. C: which is probably not what you want.

To restrict access to a folder for the group sftpusers, we can add the following to C:\ProgramData\ssh\sshd_config

Match Group sftpusers
    ChrootDirectory c:/sftp
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp`

In case we want to restrict each user to a subfolder we can instead add this:

Match User sftpuser
    ChrootDirectory c:/sftp/user
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

Thanks to Falko Timme for the tutorial where this is described.

If you want to use a port other than 22, you also need to uncomment and change this line in sshd_config # Port 22

That is all, have a good day!