Secure File Transfer Protocol (SFTP)

SFTP (SSH File Transfer Protocol) is a secure file transfer protocol. It runs over the SSH protocol. It supports the full security and authentication functionality of SSH.

System Requirement

Ubuntu 16.04

Step 1 - OpenSSH

First, we need to check the SSH connection. By default OpenSSH comes with the most of the Lunux system. Please confirm this with this command.

1

ssh -v localhost

If everything is good, you should be able to see this.

1
2

> debug1: Connecting to localhost [127.0.0.1] port 22.
> debug1: Connection established.

If you don’t have OpenSSH set up. You should install it on your system.

1
2
3
4
5
6

sudo apt update
sudo apt install openssh-server

sudo systemctl stop ssh.service
sudo systemctl start ssh.service
sudo systemctl enable ssh.service

Step 2 - Create SFTP GROUP and USER

Create a New User

Switch to the root user:

1

sudo -s

Add a new user

1

adduser <UbuntuUsername>

You will be prompted to add a password. Put a simple password and change it later.

Create a Group

We have to create the sftp_group first. You could name it whatever you want.

1

sudo groupadd sftp_group

Now, we could add user into this group

1

sudo usermod -aG sftp_group <UbuntuUsername>

Step 3 - Configure SFTP / Chroot

A chroot enable system to isolate application form the rest of your computer by limiting them. If you turn on chroot on user account, the account will be isolated and can only access its own directory and files.

There are two different ways which you could do access control.

Locking down per user

We might need to provide limited access to our user because if we give full access to our user it would be a huge security flaw. If you want to lock down user to only specific directory to add and remove files, please follow steps below.

1. Create desired path and directory.

1
2

#For example
/home/sftp_root/sftp_home

/home/sftp_root is owned by root while ../sftp_home can be ownd by our user or user group

2. Change a permission

1

chmod 755 /home/sftp_root

This changes our permissions to only allow writing by the user who owns the directory while read and execute to everyone else.

1
2
3
4
5

#it changes a directory to be owned by the user root and group root.
chown root:root /home/sftp_root

#it gives ownership to the user and usergroup only to sftp_home.
chown <User>:<Usergroup> /home/sftp_root/sftp_home

3. Locking down user

1

vi /etc.ssh/sshd_config

Find this and comment it out

1
2
3

Subsystem sftp /var/lib/openssh/sftp-server
#to
#Subsystem sftp /var/lib/openssh/sftp-server

And add this:

1
2
3
4
5
6
7
8

Subsystem sftp internal-sftp
   
Match User [Your New Username] ChrootDirectory /home/sftp_root
X11Forwarding no
AllowTcpForwarding no
AllowAgentForwarding no
ForceCommand internal-sftp
PasswordAuthentication yes

Match User: Tells the SSH server to only apply the following settings to the one user

ChrootDirectory: This tells the server what directory our user is allowed to ONLY work within this directory

X11Forwading, AllowTCPForwarding, AllowAgentForwarding: Prohibits the user from port forwarding, tunneling and X11 forwarding fot the user. These are all security things.

ForceCommand internal-sftp: Forces the SSH server to the run the SFTP program upon access which disables shell access.

PasswordAuthentication: Allows for the user to login with a typed password. You can remove this is you would rather use a security key which is by far safer.

1
2
3

sudo systemctl restart ssh.service
#or
/etc/init.d/ssh restart

Locking down User Group

Only step 4 is different from locking down per user. Add this:

1
2
3
4
5
6
7

Subsystem sftp internal-sftp

Match Group sftp_group
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /home/sftp_root
ForceCommand internal-sftp

Reference

Thumnail
link1
link2