Setup an SFTP server on Ubuntu

This guide will show you how to setup your Ubuntu computer as an SFTP server. This could be on real hardware or on a virtualized server like a Digital Ocean droplet or an OpenShift gear. We used 13.10 to test this tutorial but it should work fine for 14.04 as well.

Required Software

Install the following packages to get started:

sudo apt-get install openssh-server

Instructions

When making any big config changes it’s always a good idea to backup the file you are changing first. In this case we will modify /etc/ssh/sshd_config so we want to back it up and then open up the original in *insert favourite text editor here (we’ll use nano for this tutorial)*:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sudo nano /etc/ssh/sshd_config

When you’ve got sshd_config open you need to find and edit the following lines as shown:


#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

UsePAM yes

Match Group sftp-user
ChrootDirectory %h
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp

You can further restrict access with directives like AllowUsers and/or AllowGroups but we won’t go into detail about that right now.

When we make changes to sshd_config we have to restart the ssh service:

sudo service ssh restart

Next we have to create the sftp-user group, create the /srv/sftp folder, and set the permissions and ownership of the folder:

sudo groupadd sftp-user
sudo mkdir /srv
sudo mkdir /srv/sftp
sudo chown root:sftp-user /srv/sftp
sudo chmod 755 /srv/sftp

Almost there now. Next we need to create a user who will be able to sftp in to our server, add them to the sftp-user group and give them a password. This user, who we will call cleared-for-sftp, will not have a shell and we will set their home directory to /srv/sftp, which they will be placed into when they log in because of the  ChrootDirectory %h directive from our sshd_config file above.

sudo useradd cleared-for-sftp -d /srv/sftp -s /bin/false -g sftp-user
sudo passwd cleared-for-sftp

Enter a password for the cleared-for-sftp user and you’re all set. Give your login a try with Filezilla or from the commmand line with:

sftp cleared-for-sftp@[your-server]

where [your-server] is the IP address or domain name of your server.

Last words

When you check your login you should also double check that the user is restricted to the directory he logs into and that the user is not able to log in via ssh and get a shell session. This user should not be able to access your system files. This is a pretty basic setup and you can further customize it by creating more users and restricting them to their own folders using the Match User directive in sshd_config. If you get the infamous ‘Broken Pipe’ error make sure that all directories leading up to the sftp-user’s ChrootDirectory are owned by root and only have write privileges for the owner (ie all parent folders have privileges no higher than 755).

Good luck!

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *