How to Install and Use SFTP on Linux Servers

SFTP or SSH File Transfer Protocol is a method for securely transferring data between two computers and more. It's FTP that runs on top of SSH protocol and takes advantage of its security and fully supports its authentication.

Nowadays, it's recommended to use SFTP instead of legacy old FTP or FTP/S protocol. SFTP is secure by default because that is how SSH works. From a security standpoint, SFTP also protects you against password sniffing and man-in-the-middle attack (MiTM).

Just like SSH, SFTP also protects your data integrity using the encryption and cryptographic hash function. Also, it supports multiple secure authentication methods, including password and key-based authentication. Also, it reduces server open port to the outside network, because it's run on the same port as SSH protocol.

Prerequisites

In this guide, you will learn how to set up SFTP Server on a Linux system. Also, you'll learn the basic command of the sftp client.

Below is the current environment for the implementation:

  • A Linux Server - you can use Debian, Ubuntu, CentOS, Fedora, Rocky, or any other Linux distribution.
  • Make sure OpenSSH packages are available on your Linux system.
  • SFTP client - sftp command-line or any GUI client as you preferred.

Verify OpenSSH Packages

To set up an SFTP server, you must have OpenSSH packages installed on your Linux system. Almost all Linux Distribution server has the OpenSSH packages installed by default. But, in case you don't have the OpenSSH package on your system, you can install it from the official repository.

1. To make sure that OpenSSH packages are installed on your Linux system, use the following command.

For Debian or Ubuntu servers, you can use the dpkg command below.

dpkg -l | grep ssh

Below is the output from our Debian system.

ii  libssh2-1:amd64               1.9.0-2                        amd64        SSH2 client-side library
ii  openssh-client                1:8.4p1-5                      amd64        secure shell (SSH) client, for secure access to remote machines
ii  openssh-server                1:8.4p1-5                      amd64        secure shell (SSH) server, for secure access from remote machines
ii  openssh-sftp-server           1:8.4p1-5                      amd64        secure shell (SSH) sftp server module, for SFTP access from remote machines

The first column 'ii' means the package is installed. The package 'openssh-sftp-server' is installed on the Debian/Ubuntu system.

For RHEL/CentOS/Fedora/Rocky Linux/AlmaLinux users, you can use the rpm command as below.

rpm -qa | grep ssh

Create Group and User

At this step, you will be creating a new group and user for the SFTP server. Users within this group will be allowed to access the SFTP server. And for security reasons, SFTP users cannot access the SSH service. SFTP users only access the SFTP server.

1. Execute the following command to create a new group 'sftpgroup'.

sudo groupadd sftpgroup

2. Create a new user 'sftpuser' using the following command.

sudo useradd -G sftpgroup -d /srv/sftpuser -s /sbin/nologin sftpuser

Detailed options:

  • -G : automatically add the user to the 'sftpgroup'.
  • -d : specify the home directory for the new user.
  • -s : set the default for the new user to '/sbin/nologin', which means the user cannot access the SSH Server.

3. Next, create the password for user 'sftpuser' using the command below.

passwd sftpuser

Type your strong password and repeat, then press 'Enter' to confirm.

Add user and group sftpserver

To add more users, repeat stages number 2 and 3, and most importantly, all SFTP users must be in the group 'sftpgroup' with no shell access through SSH.

Setup Chroot Jail Directory

After creating a new group and user, you must create and configure the chroot directory for SFTP users.

1. For the user 'sftpuser', the new home directory will be at the '/srv/sftpuser'. Execute the command below to create it.

mkdir -p /srv/sftpuser

2. To set up chroot for user 'sftpuser', you must change the ownership of the directory to the user root, but remain the group to read and execute without write access.

Change the ownership of the directory to user 'root' using the following command.

sudo chown root /srv/sftpuser

Give the group permission to read and execute, but not to write.

sudo chmod g+rx /srv/sftpuser

3. Next, create a new 'data' directory inside the '/srv/sftpuser' directory and change the ownership of that 'data' directory to the user 'sftpuser'.

mkdir -p /srv/sftpuser/data
chown sftpuser:sftpuser /srv/sftpuser/data

setup chroot directory jail for stpuser

So far, below details configuration for the SFTP user directory.

  • The directory '/srv/sftuser' is the default home directory.
  • The user 'sftpuser' cannot write to the directory '/srv/sftpuser', but can read inside that directory.
  • The user 'sftpuser' can upload files to the SFTP server at the directory '/srv/sftpuser/data'.

Enable SFTP on SSH Server

To enable the SFTP server on the OpenSSH, you must edit the SSH configuration '/etc/ssh/sshd_config'.

1. Edit the ssh configuration '/etc/ssh/sshd_config' using nano or vim.

sudo nano /etc/ssh/sshd_config

2. Comment the following configuration to disable the standalone 'sftp-server' feature.

#Subsystem      sftp    /usr/lib/openssh/sftp-server

3. Paste the following configuration to the bottom of the line.

Subsystem sftp internal-sftp

Match Group sftpgroup
     ChrootDirectory %h
     X11Forwarding no
     AllowTCPForwarding no
     ForceCommand internal-sftp

Save the configuration and exit.

Detailed configuration:

  • Instead of using the sub-process 'sftp-server', we're using the 'internal-sftp'.
  • The SFTP server enabled for group 'sftpgroup'.

4. To apply a new configuration, restart the ssh service using the command below.

sudo systemctl restart sshd

The SFTP server is ready and accessible, and it's running on the same port as the SSH service.

Access the SFTP Server

On the client-side, we will use the sftp command line, which is installed by default on most Linux Distributions. But, you can also be using another command-line client or GUI FTP client such as FileZilla, Cyberduck, etc.

1. To connect to the SFTP server, execute the sftp command as below.

sftp [email protected]

If your SFTP and/or SSH server running on the custom port, you can use the sftp command as below.

sftp -P PORT [email protected]

Type the password for the 'sftpuser'.

2. Once you are connected to the SFTP server, execute the following command.

Show current path working directory and list all available files and directories.

pwd
ls

Connect to sftpserver with sftp command

3. Upload a local file to the SFTP server on the directory '/', which will result as 'permission denied', because it's the chroot directory.

put /path/to/file/on/local /

4. Upload a local file to the directory '/data/' on the SFTP server. If your configuration is correct, your file will be uploaded to the '/data/' directory.

put /path/to/file1/on/local1 /data/
put /path/to/file2/on/local /data/

Verify read and write to sftpserver

5. Now check available files on the '/data' directory using the following command.

ls /data/

And you will see your file uploaded to the SFTP server.

Listing all files on sftp server

Conclusion

Congratulations! You've successfully configured the SFTP Server on the Linux system. This type of configuration can be applied on most Linux systems with OpenSSH installed on top of it. Also, you've learned how to set up the chroot directory for SFTP users and learned the basic sftp client command.

Share this page:

Suggested articles

2 Comment(s)

Add comment

Comments

By: John at: 2022-04-05 03:05:44

On ubuntu, it is bonehead easy. No need for anything else:

   $ sudo apt install ssh

That's it.  You can make it harder if you like, but it isn't necessary.  That command enables ssh, and scp and sftp-server for all normal users. 

It would be a good idea to install fail2ban to block brute force attempts.

   $ sudo apt install ssh fail2ban

the default fail2ban settings protect ssh on port 22/tcp, so no configuration is necessary.

Once ssh is installed on a Linux workstation and the remote server, we can use almost any Linux file manager with a URL like : sftp://ip/ to access the remote file system.  Some file managers use ssh://ip/ others use something else, but sftp:// is the correct answer. Of course, once ssh is setup and working, we have access to all the other greatness that is ssh dependent ... scp, sftp, rsync, most backup tools, sshfs, x2go (or any NX remote desktop), stunnel, X11-forwarding (run remote GUI applications), and ssh port forwarding which can be used for all sorts of goodness.  vim supports remote editing over ssh too.  There must be 50 other things that ssh makes possible.

ssh is how Unix systems communicate.  Be certain to setup ssh-keys to make all of these connections nearly seamless.  That's 2 commands.

   $ ssh-keygen -t ed25519   $ ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]

Only need to create the key once. The public key can be pushed to multiple remote systems/servers/desktops.

 

By: thctlo at: 2022-04-05 11:08:42

Just a tip, article is great.. but you can do this very easy with the package : mysecureshell