Configuring Bitvise SSH Server for SFTP, SCP, FTPS file transfer

Bitvise SSH Server provides multiple types of secure remote access to Windows. A frequent usage scenario is to configure the SSH Server specifically for file transfer, without exposing the machine to terminal shell, tunneling and other types of access. This tutorial explains step-by-step how to configure Bitvise SSH Server for a primary role as a file transfer server using SFTP, SCP and/or FTPS.

  1. Install Bitvise SSH Server. Do not start it yet.

  2. When you install Bitvise SSH Server, the Easy settings wizard should appear. You can also access Easy settings at any later time by clicking Open easy settings.

    If you have already performed any changes to SSH Server settings, click 'Restore', and then 'Reset settings to default values'.

  3. The first tab of Easy settings is named Server settings. When you are ready for your server to accept connections over the internet, you will need to open this tab and enable the checkbox 'Automatically configure router (requires UPnP)'. You will also need to change the setting 'Open Windows Firewall' to 'Open port(s) to any computer'.

    If you wish to enable FTPS access, you can enable it on this tab. If you plan to use FTPS, see Compatibility with FTPS clients.

    We recommend that you wait with router and firewall settings until you have configured the server and tested your configuration by connecting with an SSH, SFTP and/or FTPS client installed on the same computer, or in your local network.

  4. The next tab of Easy settings is named Windows accounts. This tutorial describes how to configure Bitvise SSH Server for file transfer using virtual accounts. Therefore, disable the checkbox 'Allow login to any Windows account'. This will prevent anyone from logging into your SSH Server using accounts not configured in SSH Server settings.

    To use Bitvise SSH Server with virtual accounts only, do not add any Windows account entries under 'Windows accounts'.

  5. The final tab of Easy settings is named Virtual accounts. Click the 'Add' button to add a virtual account, or use the 'Edit' button to edit an existing virtual account. Edit the virtual account settings as follows:

    • Virtual account name. This is the name that your user will use to log in.

    • Virtual account password. This is the password that your user will use to log in (unless you set up public key authentication).

    • Login allowed. Enable this if the account should be able to connect to your server. You can disable this to prevent access without deleting the account.

    • Allow file transfer. Enable this checkbox to allow SFTP, SCP and FTPS access.

    • Shell access type. For virtual accounts, this is set by default to BvShell. This is a small shell provided by the SSH Server which respects the SSH Server's virtual filesystem settings. You can keep this setting configured to BvShell, or you can set this to No shell access. Important: Do not grant access to Command Prompt, PowerShell, or another shell except BvShell, if you want to restrict the user's filesystem access.

    • Allow port forwarding. Disable this checkbox to prevent the user from accessing other network services over SSH.

    • Virtual filesystem layout. Set this to Limit to root directory to limit the user's access to a single directory and its subdirectories. Set this to Advanced filesystem layout to configure a virtual filesystem for the user through which they can access multiple directory locations on the server.

      To guarantee that your users can access the directories you configure for them, make sure that the Windows account BvSsh_VirtualUsers has Windows filesystem permissions to access those directories. This account is a member of the Users group, so if the Users group has sufficient access, the virtual account will have access as well.

      Note: The BvSsh_VirtualUsers account does not exist until the SSH Server has been started with at least one virtual account configured. The account may also be named differently on your installation. See Q460 in the SSH Server Usage FAQ for more information.

  6. When you are done configuring virtual users, click 'Save changes' to exit Easy settings. You can now start Bitvise SSH Server and try connecting with a file transfer client. We also recommend trying to connect with an SSH terminal client to ensure that users cannot access terminal shell and port forwarding.

  7. Once you have tested your configuration and ensured that it works correctly, click 'Open easy settings' again and edit the router and firewall settings on the 'Server settings' tab to open your server to internet connections.

Having configured Bitvise SSH Server in this way, it will only accept connections from users who know one of the Virtual account usernames and passwords you have defined. The SSH Server will allow these users to only use SFTP or SCP, and none of the other SSH protocol features, and will restrict their file access to each user's root directory, or to their virtual filesystem mount points.

If you installed Bitvise SSH Server on a domain controller, the above steps will not be sufficient. Domain controllers do not have local accounts, so the SSH Server cannot manage a local account to provide the security context for virtual users. In this case, you will need to use the SSH Server's Advanced settings and configure a domain account to provide security context. Consult Configuring groups and accounts to learn more about how Bitvise SSH Server operates, so that you can configure it properly.

File transfer using Windows accounts

If you prefer your users to log in with Windows accounts, the process is nearly identical to the above instructions using virtual accounts. The main differences are:

  • You need to configure Windows account settings entries instead of virtual account entries.
  • You need to actually create the accounts in Windows.
  • You need to grant the accounts Windows filesystem permissions to directories you want them to access.
  • By default, Windows accounts are granted a more powerful Shell access type than virtual accounts. You need to change their Shell access type to BvShell or No shell access if you do not wish these accounts to access files and directories outside the mount points you configure for them in SSH Server settings.

On-upload scripts, actions, and commands

It is possible to configure the SSH Server to run a command or a script after a user completes an upload. To set this up, you need to configure the setting On-upload command, which can be found in Advanced SSH Server settings. The setting can be configured either in an account settings entry for an individual user, or in a group settings entry as a default for multiple users.

In most cases, we suggest you use the On-upload command to run a PowerShell script. The command can be simply:

PowerShell C:\Path\To\OnUploadScript.ps1

We recommend that the script is given no parameters on the command line, but that it instead obtains information from the environment variables provided by the SSH Server. For example:

$env:SSHUPLOADFILE

This is to avoid pitfalls when parsing the command line, which may contain a path under the SSH client's control.

If a PowerShell script does not work, the Start-Transcript cmdlet can help with troubleshooting.

On-upload email notifications

A common use case for the On-upload command is to set up email notifications for completed incoming transfers. We provide the following example PowerShell script, which can be used to send email notifications. The first few lines of the script need to be modified according to your email setup:

OnUploadEmail script

Please note that the file has been renamed to .txt from its original .ps1 extension.