I recently had a request to set up SFTP for a customer so that they could manage to set of files transfer within the environment or outside as well.
While setting everything up it seems as though many guides were missing a critical step in some form. So I have taken it upon myself to write a guide to detail my entire process from start to finish.
■Introduction About the SFTP
SFTP stands for SSH File Transfer Protocol. As its name suggests, it’s a secure way to transfer files between machines using an encrypted SSH connection. Despite the name, it’s a completely different protocol than FTP (File Transfer Protocol), though it’s widely supported by modern FTP clients.
In some cases, you might want only certain users to be allowed file transfers and no SSH access. In this tutorial, we’ll set up the SSH daemon to limit SFTP access to one directory with no SSH access allowed on per-user basis.
For FTP setup, please go through with this link.
https://qiita.com/alokrawat050/items/abb814dc9796d7f025b4
So, let's start the SFTP setup.
Step 1:Install OpenSSH-server & SSH
If you have not done so yet, install OpenSSH in server, you can use the following command:
$ sudo apt install openssh-serverYou also need SSH on the system from where you are going to access the SFTP server.
$ sudo apt install sshStep 2:Create SFTP user account
First, we need to create a new user who will be granted only file transfer access to the server.
$ sudo adduser sftp_userYou’ll be prompted to create a password for the account, followed by some information about the user. The user information is optional, so you can press ENTER to leave those fields blank.
Enter new UNIX password: Retype new UNIX password: .....passwd: password updated successfullyYou have now created a new user that we will be granted access to the restricted directory.
In the next step we will create the directory for file transfers and set up the necessary permissions.
Step 3:Creating a Directory for File Transfers
In order to restrict SFTP access to one directory, first, we have to make sure the directory complies with the SSH server’s permissions requirements, which are very particular.
Specifically, the directory itself and all directories above it in the filesystem tree must be owned by root and not writable by anyone else. Consequently, it’s not possible to simply give restricted access to a user’s home directory because home directories are owned by the user, not root.
Here, we’ll create and use /var/sftp/myfolder/data/ as the target upload directory. /var/sftp/myfolder will be owned by root and will not be writable by other users.
The subdirectory /var/sftp/myfolder/data/ will be owned by sftp_user(which we created earlier), so that the user will be able to upload files to it.
First, create the directories.
$ sudo mkdir -p /var/sftp/myfolder/data/Set the owner of /var/sftp/myfolder to root.
$ sudo chown root:root /var/sftp/myfolderGive root write permissions to the same directory, and give other users only read and execute rights.
$ sudo chmod 755 /var/sftp/myfolderChange the ownership on the uploads directory to sftp_user.
$ sudo chown sftp_user:sftp_user /var/sftp/myfolder/data/Here we have done the directory restriction.
So, our sftp_user will use only /data/ from the below path. sftp_user never change the directory.
/var/sftp/myfolder/data/
Step 4:sshd_config Settings
In this step, we’ll modify the SSH server configuration to disallow terminal access for sftp_user but allow file transfer access.
Open the SSH server configuration file by using the below command.
$ sudo nano /etc/ssh/sshd_configor you can do by↓.
$ sudo vi /etc/ssh/sshd_configScroll to the very bottom of the file and append the following configuration snippet:
/etc/ssh/sshd_config
. . .
Port <your_port_number>Match User sftp_userForceCommand internal-sftpPasswordAuthentication yesChrootDirectory /var/sftp/myfolderPermitTunnel noAllowAgentForwarding noAllowTcpForwarding noX11Forwarding noThen save and close the file.[Press:wq + enter]
Here’s what each of those directives do:
●Match User tells the SSH server to apply the following commands only to the user specified. Here, we specify sftp_user.
●ForceCommand internal-sftp forces the SSH server to run the SFTP server upon login, disallowing shell access.
●PasswordAuthentication yes allows password authentication for this user.
●ChrootDirectory /var/sftp/myfolder ensures that the user will not be allowed access to anything beyond the /var/sftp/myfolder directory.
●AllowAgentForwarding no, AllowTcpForwarding no. and X11Forwarding no disables port forwarding, tunneling and X11 forwarding for this user.
In the Match User [user_name], you can also use the group by using the below command.
Match Group [sftp_group]
NOTE: You need to create a new group called, sftp_group.
Step 5:Restart the service
To apply the configuration changes, restart the service.
$ sudo systemctl restart sshdor
$ sudo /etc/init.d/ssh restartYou have now configured the SSH server to restrict access to file transfer only for sftp_user.
Step 6:Open your sftp port in AWS-EC2 security group
If you are using AWS-EC2 instance, then you need to open the port here.
Login into your AWS account.
↓
Go to the services and then click on EC2 menu -> Running Instances.
↓
Go to the your instance.
↓
Open the Security groups.
↓
In the Inbound rules, Edit inbound rules
↓
Please do the following settings
1.Type = Custom TCP
2.Protocol = TCP
3.Port range = your_port(same as set in sshd_config file)
4.Source = You need to whitelist the IP here, if you do not want then set anywhere.
5.Description - optional = You can mention here some useful info.
If you want to see the visuals then please visit this link.
https://qiita.com/alokrawat050/items/abb814dc9796d7f025b4
The last step is testing the configuration to make sure it works as intended.
Step 7:Verifying the Configuration
You can verify it within your terminal and as well as third-party software, such as WinSCP.
Troubleshooting
If you encountered below error then please do the following things.
"no supported authentication methods available server sent: public keyAuthentication Failed"then please run the below command and check the connection again.
sudo service sshd restart(may be this command will run only in ubuntu 20)
Conclusion
You’ve restricted a user to SFTP-only access to a single directory on a server without full shell access. While this tutorial uses only one directory and one user, you can extend this example to multiple users and multiple directories as well.
The SSH server allows more complex configuration schemes, including limiting access to groups or multiple users at once, or even limited access to certain IP addresses.
I hope this article helped you in setting up SFTP server on your Ubuntu.
If you encountered any error then please share it with me.
If this guide has been helpful to you and your team please share it with others!
Thanks & Best Regards,
Alok Rawat
