Setup an SFTP server account with sshd
Setting Up a Secure SFTP Server with sshd
SFTP (SSH File Transfer Protocol) provides a secure way to transfer files, often preferred over traditional FTP for its encryption and integration with SSH. This guide will walk you through configuring sshd to create a dedicated SFTP user with restricted access, ensuring secure file transfers while limiting server exposure.
1. Create a Dedicated SFTP User
First, create a new system user specifically for SFTP access. This isolates their privileges from other system users.
sudo adduser sftpuser
Replace sftpuser with your desired username. You'll be prompted to set a password and provide some user information.
2. Configure sshd for SFTP Access
Next, we'll modify the sshd configuration to enable SFTP for our new user and restrict their access.
sudo vim /etc/ssh/sshd_config
Append the following configuration block to the end of the file, ensuring you replace sftpuser with your actual username:
Match User sftpuser
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /home/sftpuser
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
These settings are crucial for security:
Match User sftpuser: Applies the following directives only tosftpuser.ForceCommand internal-sftp: Restricts the user to SFTP operations only, disallowing interactive SSH shell access.PasswordAuthentication yes: Allows password-based authentication for this user.ChrootDirectory /home/sftpuser: Jails the user within their home directory, preventing access to other parts of the server's file system. This is a critical security measure.- The last four lines disable various SSH features (tunneling, agent/TCP forwarding, X11 forwarding) to further harden security for this restricted user.
After modifying the configuration, restart the ssh service for the changes to take effect:
sudo systemctl restart ssh
3. Set Correct Directory Permissions
For the ChrootDirectory to function securely, it must adhere to strict ownership and permission requirements. The ChrootDirectory itself (in this case, /home/sftpuser) must be owned by root and not be writable by any other user or group.
First, change the ownership of the user's home directory to root:
sudo chown root:root /home/sftpuser
Next, set the permissions. This command removes write permissions for groups and other users:
sudo chmod 755 /home/sftpuser
Important: Because /home/sftpuser is now owned by root and not writable by sftpuser, the SFTP user won't be able to upload files directly to this root directory. To allow file uploads, create a subdirectory within /home/sftpuser that the SFTP user owns:
sudo mkdir /home/sftpuser/files
sudo chown sftpuser:sftpuser /home/sftpuser/files
Now, sftpuser can upload files into /home/sftpuser/files.
4. Test Your SFTP Connection
To verify your setup, attempt to connect using an SFTP client (e.g., from your local machine's terminal):
sftp sftpuser@your_server_address
Replace your_server_address with your server's IP address or hostname. You should be prompted for sftpuser's password. Once connected, try navigating to the files directory and uploading a test file.
5. Troubleshooting
If you encounter issues connecting, the auth.log is the first place to check for errors:
tail -f /var/log/auth.log
This log will often provide specific reasons for connection failures, such as permission issues or incorrect sshd_config directives.