This guide will show you how to setup your Ubuntu computer as an SFTP server. This could be on real hardware or on a virtualized server like a Digital Ocean droplet or an OpenShift gear. We used 13.10 to test this tutorial but it should work fine for 14.04 as well.
Install the following packages to get started:
sudo apt-get install openssh-server
When making any big config changes it’s always a good idea to backup the file you are changing first. In this case we will modify /etc/ssh/sshd_config so we want to back it up and then open up the original in *insert favourite text editor here (we’ll use nano for this tutorial)*:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak sudo nano /etc/ssh/sshd_config
When you’ve got sshd_config open you need to find and edit the following lines as shown:
#Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp internal-sftp UsePAM yes Match Group sftp-user ChrootDirectory %h AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp
You can further restrict access with directives like AllowUsers and/or AllowGroups but we won’t go into detail about that right now.
When we make changes to sshd_config we have to restart the ssh service:
sudo service ssh restart
Next we have to create the sftp-user group, create the /srv/sftp folder, and set the permissions and ownership of the folder:
sudo groupadd sftp-user sudo mkdir /srv sudo mkdir /srv/sftp sudo chown root:sftp-user /srv/sftp sudo chmod 755 /srv/sftp
Almost there now. Next we need to create a user who will be able to sftp in to our server, add them to the sftp-user group and give them a password. This user, who we will call cleared-for-sftp, will not have a shell and we will set their home directory to /srv/sftp, which they will be placed into when they log in because of the
ChrootDirectory %h directive from our sshd_config file above.
sudo useradd cleared-for-sftp -d /srv/sftp -s /bin/false -g
sftp-usersudo passwd cleared-for-sftp
Enter a password for the cleared-for-sftp user and you’re all set. Give your login a try with Filezilla or from the commmand line with:
where [your-server] is the IP address or domain name of your server.
When you check your login you should also double check that the user is restricted to the directory he logs into and that the user is not able to log in via ssh and get a shell session. This user should not be able to access your system files. This is a pretty basic setup and you can further customize it by creating more users and restricting them to their own folders using the Match User directive in sshd_config. If you get the infamous ‘Broken Pipe’ error make sure that all directories leading up to the sftp-user’s ChrootDirectory are owned by root and only have write privileges for the owner (ie all parent folders have privileges no higher than 755).