Sftp
SFTP is the ftp://
protocol over SSH. You do not need an ftp server
running at all. If you've ever used sshfs, that is built overtop of sftp.
Documentation
man page https://linux.die.net/man/5/sshd_config
Configuration
sftp support is builtin to SSHD.
- Each SFTP user is a real, non-privileged user on the system
- By Default, any system user can use SFTP (to anywhere they are allowed to go on the system)
- You can place additional restrictions on specific users, or users within a group
- If setting a chroot, the chroot (and all directories leading to it) must be owned/writable by root (and root only).
1. First, we'll create the group
sftpusers
, and the userstudio
. The sole purpose of the group is containing users, thesshd_config
modifications will target members of this group only.groupadd sftpusers # SFTP policy will be enforced for this group useradd studio # a system user, with no homedir, and using /bin/nologin as their shell usermod -a -G sftpusers studio # add user 'studio' to 'sftpusers'
2. Now we'll create the Chroot directory for the userstudio
. Every portion of the path must be owned by root, and only writable by root.mkdir -p /var/sftpdata/studio # each user gets their own chroot # the full CHROOT path must be owned by root, # and must only be writable by root chown root:root /var/sftpdata chown root:root /var/sftpdata/studio chmod 700 /var/sftpdata chmod 700 /var/sftpdata/studio
3. All of this is owned by root, so the user 'studio' does not have write permissions to any of the directory. So now we'll need to create one/many directories within/var/sftpdata/studio
that the user can upload files to:mkdir /var/sftpdata/studio/{in,out} chown studio:studio /var/sftpdata/studio/{in,out} chmod 755 /var/sftpdata/studio/{in,out}
4. Now update your SSHD config to force members ofsftpusers
to use sftp (and disallow them from normal ssh!)./etc/ssh/sshd_configMatch Group sftpusers ChrootDirectory /var/sftpdata/%u ForceCommand internal-sftp
5. If you'd like to disallow other users from using sftp,/etc/ssh/sshd_config6. Restart sshd
sudo systemctl restart sshd
Usage
cli
sftp <user>@<ipaddr>
filezilla
manual setup (password)
File > Site Manager: New Site: Host: localhost Port: 22 Logon Type: Normal User: studio Password: ****auto setup (sshkey)
C:\Program Files\FileZilla FTP Client\filezilla.exe ^ -l keyfile ^ studio@localhost:2200python
References
- https://wiki.archlinux.org/index.php/SCP_and_SFTP
- https://www.howtoforge.com/tutorial/how-to-setup-an-sftp-server-on-centos/
- https://unix.stackexchange.com/questions/64523/how-to-configure-sftp-so-it-behaves-like-ftp-chrooting-user-to-his-home-director
- https://www.howtoforge.com/restricting-users-to-sftp-plus-setting-up-chrooted-ssh-sftp-debian-squeeze