SFTP Server Configure

In this post, we will see how we can use SFTP (Secure File Transfer Protocol) on our Ubuntu Server as a more secure protocol for FTP, in order to transfer files between the server and other clients.

SFTP uses SSH in order to transfer files, so it means the connection is encrypted and as safe as an SSH connection. In order to use it the only thing we need is an OpenSSH server installed and running. If you are using SSH to access your server, this is probably already done.

Else, you can follow the previous post about SSH server configuration on an Ubuntu Server.

SSH Permissions

Assuming that the SSH server guide has been followed, we have a lot of security measures to prevent unauthorized access. Any user account on the server that can SSH into the server can also use the SFTP service.

Each user can view and download all files in the system that he has permissions, but he can only remove and upload files in his home directory.

SFTP User and Group

If we want to have a separate account to use with the SFTP service in order to separate from the existing user accounts we can create one, e.g. sftpuser and the sftp group accordingly.

We will set the sftpuser (non-sudo user) to be able to use the SFTP service but won’t have SSH access to the server for security reasons.

This user can only, view and download all files in the /home directory that he has permissions, but but he can only remove and upload files in his home directory (/home/sftpuser).

We now create the group and the user and add it to the group:

sudo addgroup sftp
sudo useradd -m sftpuser -g sftp

We can now set a new password for the user:

sudo passwd sftpuser

SSH Config

We are going to make some changes to the default config file of sshd, so it is best to take a copy of the default file if something goes wrong or you want to go back to the default settings:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

In the sshd_config we will add a group of commands at the end of the file, in order to specify the permissions we already mentioned for the sftpuser and the sftp group accordingly:

Match group sftp
    ChrootDirectory /home
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

Restart the ssh daemon to make changes take effect:

sudo service ssh restart

Test SFTP Accesss

Lets try connecting with the sftp user to test the connection:

sftp sftpuser@192.168.1.99 # Replace with your servers IP

if you have configured SSH to use a different port (e.g. 44444) specify it with the -P option:

sftp -P 44444 sftpuser@192.168.1.99 # Replace with your servers IP

Output:

Connected to 192.168.1.99.
sftp>

We now have access as expected.

Close the connection:

sftp> bye

Links

• SSH File Transfer Protocol
• How to setup SFTP server on Ubuntu 18.04 Bionic Beaver with VSFTPD