Build a SFTP Server on Linux

Introduction

In this article, we will build a SFTP server with following conditions:

  • Users can't login via SSH
  • Users can login via SFTP
  • Users can only enter specified directories
  • Users can perform uploading and downloading in specified directories



Environment

GCP Ubuntu 18.04
The default user of the following operation is root. If you are not, put sudo in the beginning.




Create a SFTP group

  • Create a group

    group add sftp-users
  • Make sure the group was created

    grep 'sftp-users' /etc/group



Create SFTP users

  • Create users

    useradd -g sftp-users -d /upload -s /sbin/nologin test

    -g: default group
    -d: default home directory
    -s: default shell, nologin shell is common used on system accounts, which are not granted with login permission

  • Make sure the user was created

    grep test /etc/passwd
  • If the user already existed, we could simply revise the setting

    usermod -g sftp-users -d /upload -s /sbin/nologin test



SSH configuration

  • Open SSH config file

    vim /etc/ssh/sshd_config
  • Copy Subsystem for revising, and comment original one

    # Subsystem     sftp    /usr/lib/openssh/sftp-server
    Subsystem sftp internal-sftp
  • Specify group root directory

    Match Group sftp-users
    ChrootDirectory /home/sftp-users/%u
    ForceCommand internal-sftp
  • ChrootDirectory: Set root directory of that group

  • %u: It means user, so whatever users’ root directories will become the users’ name. In this case, the root directory is /home/sftp-users/test

  • ForceCommand: Force internal-sftp

  • The Match setting above should put at the end of the file, otherwise an error would occur




Directory allowed for uploading and downloading

  • Build a folder allowed for the user to upload and download
    install -d -o test -g sftp-users /home/sftp-users/test/upload
    -d: type is directory
    -o: owner
    -g: group

The user is only allowed to upload and download in this upload folder
Per SSH security regulation, the owner of chrootDirectory should be root, and only root could possess w permission. If the folder of chrootDirectory is not root, no one could login in




It’s Done!

My learning note of Linux Server Creating and Alerting on Logs-based Metrics

Comments

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×