Key takeaways:
SFTP enhances secure file transfers over SSH, ensuring encryption and protecting against unauthorized access.
Create dedicated SFTP users and groups to control access effectively.
Modify SSHD settings to enable SFTP and implement security measures like
Chroot
.Establish connections using the SFTP protocol, ensuring user authentication.
The Secure File Transfer Protocol (SFTP) was designed as an enhancement of Secure Shell (SSH) Protocol version 2.0 to provide improved secure file transfer capabilities. Transferring files is a fundamental function in any organization. Different transfer protocols exist for this purpose; some prioritize speed and simplicity, while others emphasize security. SFTP is one such protocol that is used to securely access, transfer, and manage large files and sensitive data.
SFTP servers provide enhanced security through several features:
Mandatory encryption: Ensures all data is encrypted in transit, protecting it from interception.
Firewall-friendly transmission: This protocol utilizes a single port for data transmission, making it easier to configure firewalls and maintain security.
Host key verification: Uses host keys to verify the identity of the destination server, preventing unauthorized access and man-in-the-middle attacks.
Let’s see in detail how to install the SFTP server on Ubuntu:
Step 1 (Check the
dpkg -l | grep ssh
If the OpenSSH package is not installed, we can install it using the following command:
sudo apt install openssh-server
After installing it, you can verify whether OpenSSH is installed or not, as depicted in the following code snippet:
If ii
visible on the terminal, it indicates that the package is installed.
Step 2 (SSH Installation): If OpenSSH is already installed, SSH can be installed using APT with the following steps:
sudo apt install ssh
Note: We have already installed
SSH
in the terminal given below as it takes some time.
Step 3 (Setting up a new SFTP user with group membership): The command sudo useradd -m sftpuser -g sftp
is used to create a new user named sftpuser
and add them to a group named sftp
sudo useradd -m sftpuser -g sftp
Step 4 (Updating the configuration of SSHD):
After installing SSH, we can modify the SSH daemon (sshd
sshd_config
). The sshd
allows users to connect to the server securely over an encrypted connection, protecting data from eavesdropping and tampering. We can use any editor to open the sshd_config
file.
In our case, we will use the Nano editor. After opening the file with Nano, add the commands given below at the end of the file:
sudo nano /etc/ssh/sshd_config# Add the below commands at the end of the file:Match group sftpChrootDirectory /homeForceCommand internal-sftpX11Forwarding noAllowTcpForwarding no
After adding commands in sshd_config
file, use the below command to save changes and exit from Nano
Ctrl
+ O
: Save the changes (Write Out).
Ctrl
+ X
: Exit Nano
.
Step 5 (Restart the SSH service): After updating the configuration file, apply the changes by restarting the SSH service using this command.
sudo service ssh start
Step 6 (Verify SFTP users and groups): Let's proceed by creating a new group named sftpgroup
and a user named sftpuser
who will have access only to the SFTP server for security reasons.
sudo groupadd sftpgroup
To give access to shell, the following command is used:
sudo useradd -G sftpgroup -d /srv/sftpuser -s /sbin/nologin sftpuser
The newly created sftpuser
is added to the sftpgroup
list using the -G
option. The -d
option sets the user's home directory, while the -s
option specifies shell access permissions.
The command below creates a restricted user account named sftpuser
that belongs to the sftpgroup
. The user's home directory is set to /srv/sftpuser
, and the user is restricted from logging into the system interactively. This configuration is typically used to enable secure file transfers over SSH without granting full shell access to the server.
If the user already exists, running the command will display the following message:
useradd: user 'sftpuser' already exists
This message indicates that the sftpuser
account has already been created.
Step 6 (Setting up an SFTP User password)
Our next step is to create the password for sftp
user:
passwd sftpuser
Step 7 (Setting chroot): Create the
mkdir -p /srv/sftpuser
Utilize chown
to set ownership for the root user.
sudo chown root /srv/sftpuser
Set group permissions to read and execute:
sudo chmod g+rx /srv/sftpuser
Grant ownership of a subdirectory to sftpuser:
mkdir -p /srv/sftpuser/datachown sftpuser /srv/sftpuser/data
This allows SFTP users to upload files to the "data" subdirectory but restricts their rights in the sftpuser directory to read-only access for security purposes.
Step 8 (Establish a connection to the Ubuntu SFTP server): Create an SFTP connection with the command sftp
, providing the username and the server's hostname or IP address.
sftp sftpuser@127.0.0.1
After entering the SFTP connection command, it will ask for ECDSA key fingerptint
type yes
and enter the password that we set for the SFTP user in step 6.
All the steps in a single file:
# Step 1 (Check the OpenSSH package)dpkg -l | grep ssh# Step 2 (SSH Installation)sudo apt install ssh# Step 3 (Setting Up a New SFTP User with Group Membership)sudo useradd -m sftpuser -g sftp# Step 3 (Updating configuration of SSHD)sudo nano /etc/ssh/sshd_config# Add the below commands at the end of the file:Match group sftpChrootDirectory /homeForceCommand internal-sftpX11Forwarding noAllowTcpForwarding no# Step 4 (Restart the SSH service)sudo service ssh start# Step 5 (Verify SFTP Users and Groups)sudo groupadd sftpgroupsudo useradd -G sftpgroup -d /srv/sftpuser -s /sbin/nologin sftpuser# Step 6 (Setting Up an SFTP User Password)passwd sftpuser# New password# Retype new password# Step 7 (Setting Chroot)mkdir -p /srv/sftpusersudo chown root /srv/sftpusersudo chmod g+rx /srv/sftpusermkdir -p /srv/sftpuser/datachown sftpuser /srv/sftpuser/data# Step 8 (Establish a connection to the Ubuntu SFTP server)sftp sftpuser@127.0.0.1
In the terminal below, we can run all the commands mentioned in the Step-by-step process to install the SFTP server.
Free Resources