By Konstantinos Patronas

Linux: How to setup an SFTP server

One very common task is to create an sftp account, more often some security practices with sftp accounts include

Linux: How to setup an SFTP server
Photo by Wesley Tingey on Unsplash

One very common task is to create an sftp account, more often some security practices with sftp accounts include

  • The sftp user has no shell
  • Use ssh keys instead of password
  • Is jailed to a specific directory and has no access to other directories

My environment is ubuntu 20.04 LTS, but believe that with some tweaking this guide will work in other Linux distributions as well, to start we need to create a group that we will add all future sftp only users, this will make administration much easier as we will see next.# groupadd sftpusers

Then we need to create a directory that will use to store the files of our sftp users. I highly recommend to place this directory in its own partition that can be expanded if needed and take a regular backup of the files.# mkdir -p /sftp/jails

Now we need to edit the sshd_config in order to configure how open-ssh server will handle users which belong to sftpusers group, add the following to the very end of the file and save it.

I will not go to full explaination of the parameters, i will describe the most important.

  • match group sftpusers ← Means if user that tries to login and belongs to group sftpusers
  • ChrootDirectory /sftp/jails/%u← chroot jail the user to the configured home directory, this means that the user cannot browse the file system, only his/her home dir
  • AuthorizedKeysFile /home/%u/.ssh/authorized_keys ← Where to look for authorized keys
  • PasswordAuthentication no ← don't allow password authenticationSubsystem sftp internal-sftp
       Match group sftpusers
       ChrootDirectory /sftp/jails/%u
       AuthorizedKeysFile /home/%u/.ssh/authorized_keys
       X11Forwarding no
       PasswordAuthentication no
       AllowTcpForwarding no
       PermitTunnel no
       AllowAgentForwarding no
       ForceCommand internal-sftp

Then restart open-ssh server# systemctl restart ssh

The SFTP configuration has been completed, lets move on, on how to create and configure users.

Adding an SFTP user

The user that we want to create is sftpuser1, we will create the user with the useradd command.

  • -g sftpusers ← The users group
  • -s /usr/bin/false ← -s defines the shell of the user, for security reasons we set the shell to the false command, which without much technical details means no shell for this user.
  • -c ← A short description for the user
  • -m -d /home/sftpuser1 ← define the home directory for this user.# useradd -g sftpusers -s /usr/bin/false -c "SFTP User for blah blah blah" -m -d /home/sftpuser1 sftpuser1

Now we have to create the .ssh directory for user sftpuser1# cd /home/sftpuser1
# mkdir .ssh
# chmod 700 ./.ssh
# chown sftpuser1: ./.ssh

Then to create some directories for putting and getting files# mkdir -p /sftp/jails/sftpuser1
# cd /sftp/jails/sftpuser1
# mkdir in
# mkdir out

Now tweak the file rights: In short this tweaking of the rights is needed to allow jailed logins and to prevent other sftp users to access files of other users.# chown root: /sftp/jails/sftpuser1
# chmod 755 /sftp/jails/sftpuser1
# chown sftpuser1:root /sftp/jails/sftpuser1/in
# chown sftpuser1:root /sftp/jails/sftpuser1/out
# chmod 750 /sftp/jails/sftpuser1/in
# chmod 750 /sftp/jails/sftpuser1/out

Last step is to create ssh keys for this user to allow login, to generate a key you can use ssh-keygen# mkdir -p /sftpkeys/sftpuser1
# cd /sftpkeys/sftpuser1
# ssh-keygen -f sftpuser1

This will create the following filessftpuser1  sftpuser1.pub

Now we need to add the public key to the authorized_keys of the sftpuser1 home directory

/home/sftpuser1/.ssh/authorized_keys 
# chown sftpuser1: /home/sftpuser1/.ssh/authorized_keys

Testing SFTP connectivity and security.

We need to test the following things to ensure that the sftp user created successfully

  • We can login with the ssh key# sftp -i /sftpkeys/sftpuser1/sftpuser1 sftpuser1@127.0.0.1
  • We cannot login with passwordsftp sftpuser1@127.0.0.1
    sftpuser1@127.0.0.1: Permission denied (publickey).
    Connection closed.
    Connection closed
  • We cannot get a shellssh -i /sftpkeys/sftpuser1/sftpuser1 sftpuser1@127.0.0.1
    This service allows sftp connections only.
    Connection to 127.0.0.1 closed.
  • We cannot browse the file system except our own directory! (jailed)sftp -i /sftpkeys/sftpuser1/sftpuser1 sftpuser1@127.0.0.1
    Connected to 127.0.0.1.
    sftp> ls
    in   out
    sftp> cd /
    sftp> ls
    in   out
    sftp> pwd
    Remote working directory: /
    sftp>
  • We can upload/download/delete a file

Upload test:# touch /root/test.txt
# sftp -i /sftpkeys/sftpuser1/sftpuser1 sftpuser1@127.0.0.1:/in/ <<< $'put /root/test.txt'
Connected to 127.0.0.1.
Changing to: /in/
sftp> put /root/test.txt
Uploading /root/test.txt to /in/test.txt
/root/test.txt

Download test:# sftp -i /sftpkeys/sftpuser1/sftpuser1 sftpuser1@127.0.0.1:/in/ <<< $'get /in/test.txt .'
Connected to 127.0.0.1.
Changing to: /in/
sftp> get /in/test.txt .
Fetching /in/test.txt to ./test.txt

Delete test:# sftp -i /sftpkeys/sftpuser1/sftpuser1 sftpuser1@127.0.0.1:/in/ <<< $'rm /in/test.txt .'
Connected to 127.0.0.1.
Changing to: /in/
sftp> rm /in/test.txt .
Removing /in/test.txt

I hope you found this guide easy to follow and to the point to deliver an SFTP server.

Join Medium with my referral link - Konstantinos Patronas
As a Medium member, a portion of your membership fee goes to writers you read, and you get full access to every story…