Want to set up an SFTP server on Ubuntu? Configuring the SFTP protocol allows for a more secure transfer of files between the SFTP host and client machines. Unfortunately, as you may already know, FTP is inherently insecure, so most implementations are SFTP.
An even more secure implementation will be to enable chroot. A chroot isolates applications from the rest of your computer by putting them in jail.
When you enable chroot on a user account, that account is isolated and can only access its directory and files and nowhere else.
This brief tutorial will show students and new users how to set up sFTP on Ubuntu 16.04 / 17.10 and 18.04 with chroot enabled on Ubuntu home directories.
To get started, continue with the steps below
Install Open SSH Server
If you haven’t installed the Open SSH server, run the commands below to install it.
sudo apt update sudo apt install openssh-server
After installing, the commands below can stop, start, and enable the service to start when the server boots.
sudo systemctl stop ssh.service sudo systemctl start ssh.service sudo systemctl enable ssh.service
Configure SFTP
Now that OpenSSH Server is installed, open its default configuration file by running the commands below.
sudo nano /etc/ssh/sshd_config
Then edit the file and change highlighted line below. Add the # before the first line, then add the highlighted line below to enable SFTP. This will change the subsystem to internal-sftp only.
# override default of no subsystems #Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp internal-sftp
Next, add the lines below at the end of the file or just below the highlighted line above.
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Match Group sftp_users
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /home
ForceCommand internal-sftp
Save the file and exit.
After editing the file, run the commands below to restart OpenSSH Server.
sudo systemctl restart ssh.service
Create SFTP Group
Now that you have defined your SFTP settings and set them to match the sftp_users. Create a sftp_users group, then add users you want to restrict via chroot. To create the group, run the commands below.
sudo groupadd sftp_users
Now add any user to the group by running the commands below.
sudo usermod -aG sftp_users richard
Replace user richard with your Ubuntu account name. This will add the user to the sftp_users group you created above.
That’s it! Your system should be configured for secure SFTP for your users.
Users can securely use their favorite FTP client Filezilla to connect to the server via SFTP protocol. Users will be restricted to their directories and nowhere else.
Make sure to select SFTP connection in Filezilla.
When you connect, you’ll be prompted to accept the server key. Accept it and continue.
Connect and use the SFTP service.
Enjoy!
Great article – many thanks
A quick question, all users have access to their private sftp directory, how do you enable all of them to a shared directory?
This is missing that you have to set the user to be owned by root and you need to change the login to /bin/false you can do all of that and create a new and assign them to the group all in one command:
—Note: where it say “username” enter the name of the new user you want to create and assign them to the group—
sudo useradd -g sftponly -s /bin/false -m -d /home/username username
The -g sftponly option will add the user to the sftponly group.
The -s /bin/false option sets the user’s login shell. By setting the login shell to /bin/false the user will not be able to login to the server via SSH.
The -m -d /home/username options tells useradd to create the user home directory.
Connection refused …
Thanks!
Well explained, thanks. Worked 100% first time which is pretty rare these days 🙂
Perhaps you could elaborate a bit, by adding keys to the process instead of passwords.
Your first command ‘sudo update’ isn’t a valid command- I believe you mean ‘sudo apt-get update’
Thanks, updated
Works great. But I didn’t do my homework and I changed /etc/ssh/sshd_config without thinking. Now I can’t connect to the server again. I don’t have physical access… wat do? Seriously though, I’m in trouble now.
OK, used this settings but my ssh with ssh key stopped working. Any idea what can be wrong?
This is missing that you have to set the user to be owned by root and you need to change the login to /bin/false you can do all of that and create a new and assign them to the group all in one command:
—Note: where it say “username” enter the name of the new user you want to create and assign them to the group—
sudo useradd -g sftponly -s /bin/false -m -d /home/username username
The -g sftponly option will add the user to the sftponly group.
The -s /bin/false option sets the user’s login shell. By setting the login shell to /bin/false the user will not be able to login to the server via SSH.
The -m -d /home/username options tells useradd to create the user home directory.
Hi, I can’t connect to the server and in the sshd_config file, My first line isn’t the same as yours and I can’t find the text of your first line in any other so I’m a bit lost.
I’ve done all the rest steps