This article is reproduced: http://www.linuxidc.com/Linux/2016-11/137037.htm
H File Transfer Protocol is a more secure file transfer protocol than ordinary FTP. (Reference: http://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol) It works on Secure Shell (SSH) and ensures that files are transferred encrypted.
Because of work needs, I researched how to configure SFTP on
Ubuntu
Server, which is documented below.
Requirements: Enable the SFTP file service on the server to allow certain users to upload and download files. But these users can only use SFTP to transfer files, can't use SSH terminal to access the server, and SFTP can't access system files (the so-called "Jail"). System administrators can either use SFTP to transfer files, or use SSH to remotely manage the server.
For the sake of discussion, I'm assuming that I will allow users within the sftp-users user group to use SFTP, but not the SSH Shell, and that group of users will be "jailed" (modified system root). I will create a user "alice" inside the sftp-users group. And I will allow ssh-users to use SFTP as well as SSH. The account name of the system administrator is admin.
Step 01, if you haven't installed OpenSSH server yet, install it first.
sudo apt-get install openssh-server
Step 02, create a user group for SFTP access to manage permissions.
sudo addgroup sftp-users
Step 03: Create an SFTP user and configure corresponding permissions.
The second line here means to remove alice from all other user groups and join the sftp-users group, and close her shell access. If you want to learn more about the usermod command, you can use the following "man usermod" command to view the help documentation.
sudo adduser alice
sudo usermod -G sftp-users -s /bin/false alice I mistakenly removed my account from my group that day, and I didn't even have sudo permissions. Later, I used usermod -a -G caigan2015 caigan2015 to restore my group and use usermod -a -G sudo caigan2015 restore sudo privileges
Step 04, create an SSH user group and add the administrator to the group (note that the -a parameter in usermod means not to be removed from other user groups).
sudo addgroup ssh-users
sudo usermod -a -G ssh-users admin
Step 05, prepare the root directory and shared directory of the "jail". To explain here, the root directory of the "jail" must meet the following requirements: the owner is root, and no other user can have write permissions. Therefore, in order to allow SFTP users to upload files, a shared file directory that ordinary users can write must also be created under the "jail" root directory. In order to facilitate administrators to manage uploaded files through SFTP, I configured this shared file directory as: owned by admin, allowing sftp-users to read and write. In this way, administrators and members of the SFTP user group can read and write this directory.
sudo mkdir /home/sftp_root
sudo mkdir /home/sftp_root/shared
sudo chown admin:sftp-users /home/sftp_root/shared
sudo chmod 770 /home/sftp_root/shared
Step 06, modify the SSH configuration file.
sudo nano /etc/ssh/sshd_config
At the end of the sshd_config file, add the following:
AllowGroups ssh-users sftp-users
Match Group sftp-users
ChrootDirectory /home/sftp_root
AllowTcpForwarding no
X11Forwarding no
ForceCommand internal-sftp
What this means is:
Only allow ssh-uers and sftp-users to access the system through SSH;
For sftp-users users, add some additional settings: set "/home/sftp_root" as the system root directory of the group of users (so they will not be able to access other system files outside this directory); disable TCP Forwarding and X11 Forwarding; Force this group of users to use SFTP only.
If you need further details, you can use the "man sshd_config" command. After this setting, the SSH user group can access SSH without other restrictions; while the SFTP user group can only use SFTP to access, and is locked in the jail directory.
Step 07, reboot the system for the new configuration to take effect.
sudo reboot now