SFTP is the ftp:// protocol over SSH. You do not need an ftp server running at all. If you've ever used sshfs, that is built overtop of sftp.

Documentation

man page

https://linux.die.net/man/5/sshd_config

Configuration

sftp support is builtin to SSHD.

• Each SFTP user is a real, non-privileged user on the system
• By Default, any system user can use SFTP (to anywhere they are allowed to go on the system)
• You can place additional restrictions on specific users, or users within a group
• If setting a chroot, the chroot (and all directories leading to it) must be owned/writable by root (and root only).

1. First, we'll create the group sftpusers, and the user studio. The sole purpose of the group is containing users, the sshd_config modifications will target members of this group only.

groupadd sftpusers              # SFTP policy will be enforced for this group
useradd  studio                 # a system user, with no homedir, and using /bin/nologin as their shell
usermod -a -G sftpusers studio  # add user 'studio' to 'sftpusers'

2. Now we'll create the Chroot directory for the user studio. Every portion of the path must be owned by root, and only writable by root.

mkdir -p /var/sftpdata/studio   # each user gets their own chroot

# the full CHROOT path must be owned by root,
# and must only be writable by root

chown  root:root  /var/sftpdata         
chown  root:root  /var/sftpdata/studio
chmod 700 /var/sftpdata
chmod 700 /var/sftpdata/studio

3. All of this is owned by root, so the user 'studio' does not have write permissions to any of the directory. So now we'll need to create one/many directories within /var/sftpdata/studio that the user can upload files to:

mkdir  /var/sftpdata/studio/{in,out}
chown  studio:studio /var/sftpdata/studio/{in,out}
chmod  755           /var/sftpdata/studio/{in,out}

4. Now update your SSHD config to force members of sftpusers to use sftp (and disallow them from normal ssh!).

/etc/ssh/sshd_config

Match Group sftpusers
    ChrootDirectory /var/sftpdata/%u
    ForceCommand internal-sftp

5. If you'd like to disallow other users from using sftp,

/etc/ssh/sshd_config

6. Restart sshd

sudo systemctl restart sshd

Usage

cli

sftp  <user>@<ipaddr>

filezilla

manual setup (password)

File > Site Manager:
    New Site:
        Host: localhost
        Port: 22
        Logon Type: Normal
        User: studio
        Password: ****

auto setup (sshkey)

C:\Program Files\FileZilla FTP Client\filezilla.exe ^
    -l keyfile ^
    studio@localhost:2200

python

References

• https://wiki.archlinux.org/index.php/SCP_and_SFTP
• https://www.howtoforge.com/tutorial/how-to-setup-an-sftp-server-on-centos/
• https://unix.stackexchange.com/questions/64523/how-to-configure-sftp-so-it-behaves-like-ftp-chrooting-user-to-his-home-director
• https://www.howtoforge.com/restricting-users-to-sftp-plus-setting-up-chrooted-ssh-sftp-debian-squeeze