How to install and use SFTP on a Linux server?

SFTP or SSH File Transfer Protocol is a method of securely transferring data between two computers. It is FTP that runs on top of the SSH protocol and takes advantage of its security and fully supports its authentication.

Nowadays, it is recommended to use SFTP instead of the old FTP or FTP/S protocols. SFTP is secure by default because that's how SSH works. From a security perspective, SFTP also protects you from password sniffing and man-in-the-middle attacks (MiTM).

Like SSH, SFTP uses encryption and cryptographic hash functions to protect the integrity of your data. Additionally, it supports multiple secure authentication methods, including password and key-based authentication. Additionally, it reduces the server's open ports to the external network because it runs on the same port as the SSH protocol.

prerequisites

In this guide, you will learn how to set up an SFTP server on a Linux system. Additionally, you will learn the basic commands of the sftp client.

The following is the current implementation environment:

• Linux Server - You can use Debian, Ubuntu, CentOS, Fedora, Rocky or any other Linux distribution.
• Make sure the OpenSSH package is available on your Linux system.
• SFTP client - sftp command line or any GUI client you prefer.

Verify OpenSSH package

To set up an SFTP server, you must install the OpenSSH package on your Linux system. Almost all Linux distribution servers come with the OpenSSH package installed by default. However, if the OpenSSH package is not available on your system, you can install it from the official repository.

1. To ensure that the OpenSSH package is installed on your Linux system, use the following command.

For Debian or Ubuntu servers, you can use the dpkg command below.

dpkg -l | grep ssh

Below is the output from our Debian system.

ii  libssh2-1:amd64               1.9.0-2                        amd64        SSH2 client-side library
ii  openssh-client                1:8.4p1-5                      amd64        secure shell (SSH) client, for secure access to remote machines
ii  openssh-server                1:8.4p1-5                      amd64        secure shell (SSH) server, for secure access from remote machines
ii  openssh-sftp-server           1:8.4p1-5                      amd64        secure shell (SSH) sftp server module, for SFTP access from remote machines

The first column "ii" indicates that the package is installed. The package " openssh-sftp-server " is installed on Debian/Ubuntu systems.

For RHEL/CentOS/Fedora/Rocky Linux/AlmaLinux users, you can use the following rpm command.

rpm -qa | grep ssh

Create groups and users

In this step, you will create a new group and user for the SFTP server. Users within this group will be allowed to access the SFTP server. And for security reasons, SFTP users cannot access the SSH service. SFTP users can only access the SFTP server.

1. Execute the following command to create a new group 'sftpgroup'.

sudo groupadd sftpgroup

2. Create a new user "sftpuser" using the following command.

sudo useradd -G sftpgroup -d /srv/sftpuser -s /sbin/nologin sftpuser

Detailed options:

• -G  : Automatically add users to 'sftpgroup'.
• -d : Specifies the new user's home directory.
• -s  : Sets the default for new users to ' /sbin/nologin ', which means this user cannot access the SSH server.

1. Next, create a password for user "sftpuser" using the following command.

passwd sftpuser

Enter your strong password and repeat it, then press "Enter" to confirm.

To add more users, repeat stages 2 and 3, most importantly, all SFTP users must be in group 'sftpgroup' and not have shell access via SSH.

Set up Chroot jail directory

After creating the new group and user, you must create and configure the chroot directory for the SFTP user.

1. For user 'sftpuser', the new home directory will be at '/srv/sftpuser'. Execute the following command to create it.

mkdir -p /srv/sftpuser

1. To set up chroot for user 'sftpuser', you must change the ownership of the directory to user root, but keep the group readable and executeable without write permissions.

Use the following command to change the ownership of the directory to user "root".

sudo chown root /srv/sftpuser

Grant the group read and execute permissions, but not write.

sudo chmod g+rx /srv/sftpuser

1. Next, create a new "data" directory within the "/srv/sftpuser" directory and change the ownership of that "data" directory to user "sftpuser".

mkdir -p /srv/sftpuser/data 
chown sftpuser:sftpuser /srv/sftpuser/data

So far, the configuration of the SFTP user directory is detailed below.

• The directory "/srv/sftuser" is the default home directory.
• User 'sftpuser' cannot write to the directory '/srv/sftpuser', but can read the contents of the directory.
• The user ' sftpuser ' can upload files to the SFTP server in the directory ' /srv/sftpuser/data '.

Enable SFTP on the SSH server

To enable the SFTP server on OpenSSH, you must edit the SSH configuration "/etc/ssh/sshd_config".

1. Use nano or vim to edit the ssh configuration "/etc/ssh/sshd_config".

sudo nano /etc/ssh/sshd_config

2. Comment out the following configuration to disable the standalone "sftp-server" functionality.

#Subsystem      sftp    /usr/lib/openssh/sftp-server

1. Paste the following configuration at the bottom of the line.

Subsystem sftp internal-sftp

Match Group sftpgroup
     ChrootDirectory %h
     X11Forwarding no
     AllowTCPForwarding no
     ForceCommand internal-sftp

Save configuration and exit.

Detailed configuration:

• Instead of using the subprocess " sftp-server ", we use " internal-sftp ".
• SFTP server is enabled for group " sftpgroup ".

1. To apply the new configuration, restart the ssh service using the following command.

sudo systemctl restart sshd

The SFTP server is ready and accessible, running on the same port as the SSH service.

Access SFTP server

On the client side, we will use the sftp command line that is installed by default on most Linux distributions. However, you can also use other command line clients or GUI FTP clients such as FileZilla, Cyberduck, etc.

1. To connect to the SFTP server, execute the sftp command as shown below.

sftp ftpuser@SERVER-IP

If your SFTP and/or SSH server is running on a custom port, you can use the sftp command as shown below.

sftp -P PORT ftpuser@SERVER-IP

Type the password for "sftpuser".

1. After connecting to the SFTP server, execute the following command.

Displays the current working directory and lists all available files and directories.

pwd
ls

1. When uploading local files to the '/' directory of the SFTP server, 'permission denied' will appear because it is a chroot directory.

put /path/to/file/on/local /

1. Upload the local file to the directory " /data/ " on the SFTP server. If your configuration is correct, your files will be uploaded to the " /data/ " directory.

put /path/to/file1/on/local1 /data/
put /path/to/file2/on/local /data/

1. Now use the following command to check the available files in the “ /data ” directory.

ls /data/

You will see your files uploaded to the SFTP server.

in conclusion

Congratulations! You have successfully configured the SFTP server on your Linux system. This type of configuration can be applied to most Linux systems with OpenSSH installed. Additionally, you learned how to set up a chroot directory for SFTP users and learned basic sftp client commands.