■Introduction About the SFTP
SFTP stands for SSH File Transfer Protocol. As its name suggests, it’s a secure way to transfer files between machines using an encrypted SSH connection. Despite the name, it’s a completely different protocol than FTP (File Transfer Protocol), though it’s widely supported by modern FTP clients.
In some cases, you might want only certain users to be allowed file transfers and no SSH access. In this tutorial, we’ll set up the SSH daemon to limit SFTP access to one directory with no SSH access allowed on a per-user basis.
So, let’s start the SFTP setup.
Step 1:Install OpenSSH-server & SSH
If you have not done so yet, install OpenSSH on the server, you can use the following command:
$ sudo apt install openssh-server
You also need SSH on the system from where you are going to access the SFTP server.
$ sudo apt install ssh
Step 2:Create SFTP user account
First, we need to create a new user who will be granted only file transfer access to the server.
$ sudo adduser sftp_user
You’ll be prompted to create a password for the account, followed by some information about the user. The user information is optional, so you can press ENTER to leave those fields blank.
Enter new UNIX password:
Retype new UNIX password:
.....
passwd: password updated successfully
You have now created a new user that we will be granted access to the restricted directory.
In the next step, we will create the directory for file transfers and set up the necessary permissions.
Step 3:Creating a Directory for File Transfers
In order to restrict SFTP access to one directory, first, we have to make sure the directory complies with the SSH server’s permissions requirements, which are very particular.
Specifically, the directory itself and all directories above it in the filesystem tree must be owned by root and not writable by anyone else. Consequently, it’s not possible to simply give restricted access to a user’s home directory because home directories are owned by the user, not root.
Here, we’ll create and use /var/sftp/myfolder/data/ as the target upload directory. /var/sftp/myfolder will be owned by root and will not be writable by other users.
The subdirectory /var/sftp/myfolder/data/ will be owned by sftp_user(which we created earlier) so that the user will be able to upload files to it.
First, create the directories.
$ sudo mkdir -p /var/sftp/myfolder/data/
Set the owner of /var/sftp/myfolder to root.
$ sudo chown root:root /var/sftp/myfolder
Give root write permissions to the same directory, and give other users only read and execute rights.
$ sudo chmod 755 /var/sftp/myfolder
Change the ownership on the uploads directory to sftp_user.
$ sudo chown sftp_user:sftp_user /var/sftp/myfolder/data/
Here we have done the directory restriction.
So, our sftp_user will use only /data/ from the below path. sftp_user never changes the directory.
/var/sftp/myfolder/data/
Step 4:sshd_config Settings
In this step, we’ll modify the SSH server configuration to disallow terminal access for sftp_user but allow file transfer access.
Open the SSH server configuration file by using the below command.
$ sudo nano /etc/ssh/sshd_config
or you can do by↓.
$ sudo vi /etc/ssh/sshd_config
Scroll to the very bottom of the file and append the following configuration snippet:
/etc/ssh/sshd_config
Port <your_port_number>
Match User sftp_user
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/sftp/myfolder
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
Then save and close the file.[Press :wq + enter]
Here’s what each of those directives does:
●Match User tells the SSH server to apply the following commands only to the user-specified. Here, we specify sftp_user.
●ForceCommand internal-sftp forces the SSH server to run the SFTP server upon login, disallowing shell access.
●PasswordAuthentication yes allows password authentication for this user.
●ChrootDirectory /var/sftp/myfolder ensures that the user will not be allowed access to anything beyond the /var/sftp/myfolder directory.
●AllowAgentForwarding no, AllowTcpForwarding no. and X11Forwarding no disable port forwarding, tunneling, and X11 forwarding for this user.
In the Match User [user_name], you can also use the group by using the below command.
Match Group [sftp_group]
NOTE: You need to create a new group called, sftp_group.
Step 5:Restart the service
To apply the configuration changes, restart the service.
$ sudo systemctl restart sshd
or
$ sudo /etc/init.d/ssh restart
You have now configured the SSH server to restrict access to file transfer only for sftp_user.
Step 6:Open your SFTP port in the AWS-EC2 security group
If you are using the AWS-EC2 instance, then you need to open the port here.
Login to your AWS account.
↓
Go to the services and then click on the EC2 menu -> Running Instances.
↓
Go to your instance.
↓
Open the Security groups.
↓
In the Inbound Rules, Edit inbound rules
↓
Please do the following settings
1.Type = Custom TCP
2.Protocol = TCP
3.Port range = your_port(same as set in sshd_config file)
4. Source = You need to whitelist the IP here, if you do not want then set it anywhere.
5. Description — optional = You can mention here some useful info.
The last step is testing the configuration to make sure it works as intended.
Step 7:Verifying the Configuration
You can verify it within your terminal and as well as third-party software, such as WinSCP.
Troubleshooting
If you encountered the below error then please do the following things.
"no supported authentication methods available server sent: public key
Authentication Failed"
then please run the below command and check the connection again.
sudo service sshd restart
(maybe this command will run only in ubuntu 20)
Conclusion
You’ve restricted a user to SFTP-only access to a single directory on a server without full shell access. While this tutorial uses only one directory and one user, you can extend this example to multiple users and multiple directories as well. The SSH server allows more complex configuration schemes, including limiting access to groups or multiple users at once, or even limited access to certain IP addresses.
I hope this article helped you in setting up an SFTP server on your Ubuntu.
If you encountered any errors then please share them with me.
If this guide has been helpful to you and your team please share it with others!
Top comments (2)
You may be interested in SFTPGo. Chroot isolation is enabled by default and it has many features not available in the sftp-server included with OpenSSH. SFTPGo can also use an AWS bucket as storage backend (without s3fs or similar hacks)
Thanks for the write up always good to see clear instructions. Given aws was mentioned worth checking out the Aws transfer family for sftp too aws.amazon.com/aws-transfer-family...