What is an SFTP Server? How to set up SFTP Server on Linux/Unix?
SFTP (SSH File Transfer Protocol) is also called Secure FTP. It is a method for uploading and downloading files over an encrypted connection between two computers. Unlike FTP and FTPS, it works differently. Since SFTP is built upon the SSH (Secure Shell) protocol, version 2.0, it supports the full functionality of SSH, such as public-key encryption, to provide strong user authentication and secure encrypted communications over any reliable data stream.
Although SSH is used in this context, it may also be used to transfer management information over VPNs and to secure file transfers using Transport Layer Security (TLS). SSH is a client-server protocol that allows for secure communication. The Internet Engineering Task Force (IETF) developed and adopted SFTP to replace insecure shell protocols in 2006; it is an extension of SSH 2.
FTP is a tool used for transferring data between computers. This service is no longer popular because it lacks security since this protocol reveals sensitive data and credentials in plain text. Hackers can easily steal data by using this protocol. Therefore, we recommend using SFTP in place of FTP, as it is more secure than the simple file transfer protocol (FTP and FTPS), and you can also protect your data with encoding features, cryptographic hashes, password sniffing, and authentication on the server and the client.
Note:
What are the main advantages of using SFTP over FTP/FTPS?
Companies and organizations use SFTP as part of their security and privacy controls based on how crucial their business is.
* It supports both public key and password authentication
* It uses a single port (22 )
* Speed, Efficiency, Security, and Manageability
* Data exchange
* To meet compliance
This article explains and shows how to set up SFTP on Rocky Linux. You can follow the same instructions on RHEL, CentOS, Fedora, Ubuntu, Debian, etc. The installation command varies depending upon the Linux distribution. Therefore, users of Ubuntu and Debian must make a few changes to the installation command, but the rest of the instructions are the same.
Prerequisites :
Operating System : Rocky Linux / RHEL /CentOS /Fedora package : openssh-server openssh-clients User account : root user or user account with sudo privileges Recommended to run all the administrative commands as with sudo privilege instead of root.
Difficulties in setting up sudo users? Click here to find the steps.
My Lab Setup :
My lab setup consists of two machines. The server runs on Rocky Linux, while the client runs on Ubuntu 18.04 LTS.
FTP Server: Operating System : Rocky Linux release 8.5 (Green Obsidian) Hostname : ftp01.linuxteck IP Address : 192.168.1.100
FTP Client: Operating System : Ubuntu 18.04.5 LTS Hostname : john-H81M-WW IP Address : 192.168.1.200 SSH client : An active ftp client like " Terminal for Linux/Mac and Filezilla for Gui"
Note:
Here are some articles about FTP servers:
How to set up Anonymous FTP in Rocky Linux
Step 1: Install SSH package
Note:
The first step is to install the SSH or OpenSSH server package, and then we can configure the SSH server. In this section, I'll discuss only the steps necessary to support SFTP over SSH. If SSH isn't already installed on your server, this detailed guide will help you set up an SSH server and secure it "how to install and secure SSH server".
As a best practice, you should always update your OS to the latest version and install the SSH package afterward.
$ sudo dnf update
Once this OS update is complete, you can install the OpenSSH-server package by running the following command.
$ sudo dnf install -y openssh-server
The next step is to start, enable, and check the status of the sshd daemon using the following commands.
$ sudo systemctl start sshd
$ sudo systemctl enable sshd
$ sudo systemctl status sshd
Step 2: Create Group and User
Note:
For overall security, it is always recommended to create groups and users, then assign specific rights to these users in order to prevent unauthorized access to a service. This way, administrators will be able to differentiate roles much more easily. For example, SFTP services and normal services can be clearly defined, and each service's owner can easily identify which part of the service belongs to them. In our example, we'll create a group called "sftpteam" and a username called "linuxteck". You can create these groups and usernames using the following commands:
$ sudo groupadd sftpteam
Next, let's run the following command to verify the group.
$ cat /etc/group | grep sftpteam
Note:
You can see from the above screenshots that the group "sftpteam" was created. The next step is to create a user named "linuxteck" and password and then add it to the group.
$ sudo useradd -G sftpteam linuxteck
$ sudo passwd linuxteck
Ensure that the username is in the group.
$ cat /etc/group | grep sftpteam
Note:
As you can see, we have successfully created a group and user and assigned that user to that group. When the '-G' option is added to the useradd command, it not only creates the user but also assigns that user to the group. However, the group name must exist in the "/etc/group" file.
Consider a case where you want to replace the user's default home directory with a specific one, then use the '-d' option to authorize changing the user's default home directory name to a special one. For existing users, you should use the 'usermod' command. The syntax is as follows:
$ sudo usermod -d <new directory path> username
Click here, Get a better understanding of useradd commands and their options
Step 3: Configure SSHD for SFTP
Note:
Security benefits are offered by configuring SFTP with the SSH protocol, but it also has some downsides. The default setting for SFTP users is to be able to access all files and directories outside of their home directory. We must therefore impose some conditions in the config file for the SSH daemon to detect and handle the case where multiple users are connecting to the SFTP server.
In order to restrict users from going outside of their home directory, we need to make some changes to the " /etc/ssh/sshd_config " file.
Navigate to the configuration file with "vim or vi" and scroll down to the line "Subsystem sftp /usr/libexec/openssh/sftp-server" and comment it out.
Then add the following one, shown in the screenshot below. Although both are integrated into OpenSSH, however, the internal-SFTP has the advantage of being the latest and giving much better performance than the sftp-server.
# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Here are the entries to be added below the " Subsystem sftp internal-sftp " line as shown in the following screenshot.
Match group sftpteam
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
From now on, members of the sftpteam group will be required to use internal-sftp, and they will not be able to access files outside of their home directories. Furthermore, they will not be able to connect via SSH.
Once you've saved the file, you need to restart SSHd for the changes to take effect.
$ sudo systemctl restart sshd
Note:
Our next step is to allow users permission to their home directories. Our demo uses linuxteck as an SFTP user and sftpteam as an SFTP group. According to the man page of OpenSSH, the user's home directory is configured under the ChrootDirectory, which means "all components of the pathname must be owned by root". Hence, only the "root" owner can have "write" permission and not any other user or group. Therefore, we need to change ownership of /home/linuxteck to root.
In that case, we should review the existing permissions on the linuxteck user's home directory before making the change, so we can give the correct permissions based on our needs.
$ sudo ls -ld /home/linuxteck/
Output: drwx------. 4 linuxteck linuxteck 110 Feb 2 15:36 /home/linuxteck/
We will now set the proper permissions for the "linuxteck" user's home directory.
$ sudo chown root:sftpteam /home/linuxteck/
$ sudo chmod 755 /home/linuxteck/
Recheck the permissions again and you should see the new permissions applied to the user in order to gain access.
$ sudo ls -ld /home/linuxteck/
Output: drwxr-xr-x. 4 root sftpteam 110 Feb 2 15:36 /home/linuxteck/
Note:
Suppose you'd like to allow the user "linuxteck" to upload all the files to a different folder, then you will need to create a folder and give permission as necessary. We will create a folder titled "upload" and give it the necessary permissions.
$ sudo mkdir /home/linuxteck/upload
$ sudo chown linuxteck:sftpteam /home/linuxteck/upload/
Step 4: Testing SFTP via Linux command line & FileZilla
Note:
We've finished setting up SFTP using the password method. So, we first test the SFTP server using the command-line interface and then use a third-party FTP program. We will make use of password authentication for this test. Our client machine is running Ubuntu 18.4, but you may choose another distribution of your choice.
As a pre-requisite to the SFTP test, let's try accessing the SSH service with the username "linuxteck," because we have already defined in the sshd_config file that ssh access will not be allowed to linuxteck, so let's verify this.
$ ssh linuxteck@192.168.1.100
Output:
In the above screenshot, you can see that the user "linuxteck" does not have permission to access the SSH Services. The next step is to connect to SFTP using the command line method.
$ sftp linuxteck@192.168.1.100
Output:
Note:
The screenshot above shows that the user "linuxteck" can log into SFTP via a command-line interface and view files within permissible folders. However, due to the "chroot" setup as stated above, the user is unable to access files outside his home directory.
You can find more information about uploading files via command-line here.
Next, we'll try to access the SFTP server with FileZilla. As shown below, launch the FileZilla application and click the Site Manager button on the top right. Click "New Site" and enter your SFTP credentials information including the IP address of the SFTP, then select "SFTP-SSH File Transfer Protocol" and enter your username and password.
Note:
Finally, we can connect to the SFTP server via FileZilla and utilize all permitted files and folders as well as upload and download files without any interruptions. Also, we've seen SFTP users unable to access files outside of their home directories due to the chroot permissions set in the sshd_config file.
Conclusion:
That's it. We hope this article has helped you understand how to configure the SFTP Server in Rocky Linux step by step. Drop me your feedback/comments. Feel free to share this article with others if you like it.