Reprinted from: https://blog.csdn.net/bbc2005/article/details/80034065

Introduction to SFTP

sftp is the abbreviation of Secure File Transfer Protocol, secure file transfer protocol. It can provide a secure network encryption method for transferring files. sftp has almost the same syntax and functionality as ftp. SFTP is part of SSH and is a secure way to transfer files to Blogger servers. In fact, the SSH software package already contains a secure file information transfer subsystem called SFTP (Secure File Transfer Protocol). SFTP itself does not have a separate daemon. It must use the sshd daemon (the default port number is 22). Complete the corresponding connection and reply operations, so in a sense, SFTP is not like a server program, but more like a client program. SFTP also uses encryption to transmit authentication information and transmitted data, so using SFTP is very safe. However, since this transmission method uses encryption/decryption technology, the transmission efficiency is much lower than ordinary FTP. If you have higher requirements for network security, you can use SFTP instead of FTP. (From Baidu Encyclopedia)

installation steps

Target

Open the sftp file service on the Ubuntu system to allow certain users to upload and download files. However, these users can only use sftp to transfer files and cannot use SSH terminals to access the server, and sftp cannot access system files. System administrators can use sftp to transfer files and remotely manage the server using SSH.
The following will allow users in the sftp-users user group to use sftp, but will not allow the use of SSH Shell, and users in this group cannot access system files. Create a user "sftp" in the sftp-users group. Allow users in the ssh-users user group to use sftp and SSH. The system administrator's account name is bbc2005.

Ubuntu system information

Check the system version first:

Check if sftp is installed

In Linux systems, generally RedHat systems have already installed openssh -client and openssh-server by default, that is, the sftp service has been integrated by default, and there is no need to reinstall it; while Ubuntu systems only have openssh-client installed by default, and you need to use sftp. Install openssh-server. If openssh-client is already installed on the system, in order to prevent the two versions from being incompatible when installing openssh-server, you can uninstall openssh-client first and then install it. Check whether sftp has been installed on this system. If it is not installed as follows:

Install openssh-client

Generally, openssh-client does not need to be installed separately. Openssh-client will be installed by default when installing openssh-server.

Install openssh-server

sudo apt-get install openssh-server

Check that the installation is successful:

Create a new user group sftp-users and create a new user sftp

Create user groups for SFTP access to facilitate permission management. and create sftp user:

sudo addgroup sftp-users
sudo adduser sftp

Give sftp authority and create a new user group ssh-users

Remove sftp from all other user groups and add it to the sftp-users group, and turn off its shell access:
sudo usermod -G sftp-users -s /bin/false sftp

Create an SSH user group and add administrators to the group (note that the -a parameter in usermod means not to remove it from other user groups).

sudo addgroup ssh-users
sudo usermod -a -G ssh-users bbc2005

Create and set up sftp user directory

Prepare the root directory and shared directory of the "jail". The root directory of the "jail" must meet the following requirements: the
owner is root, and no other user can have write permissions.
Therefore, in order to allow sftp users to upload files, a shared file directory that ordinary users can write to must be created in the "jail" root directory.
In order to facilitate administrators to manage uploaded files through sftp, configure this shared file directory to be owned by bbc2005 and allow sftp-users to read and write. In this way, administrators and members of the sftp user group can read and write this directory.

sudo mkdir /home/sftp_root
sudo mkdir /home/sftp_root/shared
sudo chown bbc2005:sftp-users /home/sftp_root/shared

sudo chmod 770 /home/sftp_root/shared

Modify SSH configuration file

vi /etc/ssh/sshd_config
At the end of the sshd_config file, add the following:
AllowGroups ssh-users sftp-users
Match Group sftp-users
ChrootDirectory /home/sftp_root
AllowTcpForwarding no
X11Forwarding no

ForceCommand internal-sftp

These contents mean:
only ssh-uers and sftp-users are allowed to access the system through SSH;
for the sftp-users user, add some additional settings:
set "/home/sftp_root" to the system root directory of this group of users (so they will not be able to access other system files outside this directory);
disable TCP Forwarding and X11 Forwarding; force users in this group to only use SFTP.
If you need further details, you can use the "man sshd_config" command. After this setting, the SSH user group can access SSH without other restrictions; while the SFTP user group can only use SFTP to access and is locked in the jail directory.

Restart

Restart the system to make the configuration take effect:

verify

SFTP client authentication

In the local Windows system, you can connect to the sftp service of the Ubuntu system through the sftp client, and WinSCP can be used .

SFTP installation