SFTP stands for SSH File Transfer Protocol. As its title suggests, it is a protected option to switch recordsdata between machines the use of an encrypted SSH connection. In spite of the title, it is a totally other protocol than FTP (File Transfer Protocol), regardless that it is broadly supported via fashionable FTP shoppers.
SFTP is to be had via default and not using a further configuration on all servers that experience SSH get entry to enabled. It is protected and simple to make use of, however comes with an obstacle: in a regular configuration, the SSH server grants record switch get entry to and terminal shell get entry to to all customers with an account at the device.
In some circumstances, you may want solely sure customers to be allowed record transfers and no SSH get entry to. On this educational, we’re going to arrange the SSH daemon to restrict SFTP get entry to to 1 listing and not using a SSH get entry to allowed on per-user foundation.
To observe this educational, you’ll want get entry to to an Ubuntu 18.04 server. This server will have to have a non-root consumer with
sudo privileges, in addition to a firewall enabled. For assist with environment this up, observe our Initial Server Setup Guide for Ubuntu 18.04.
Step 1 — Making a New Person
First, create a brand new consumer who might be granted solely record switch get entry to to the server. Right here, we are the use of the username sammyfiles, however you’ll use any username you favor.
You can be induced to create a password for the account, adopted via some details about the consumer. The consumer data is non-compulsory, so you’ll press
ENTER to depart the ones fields clean.
You could have now created a brand new consumer that might be granted get entry to to the limited listing. In the next move we can create the listing for record transfers and arrange the vital permissions.
Step 2 — Making a Listing for Report Transfers
So as to limit SFTP get entry to to 1 listing, we first have to ensure the listing complies with the SSH server’s permissions necessities, that are very explicit.
Particularly, the listing itself and all directories above it within the filesystem tree should be owned via root and no longer writable via someone else. As a result, it is not imaginable to easily give limited get entry to to a consumer’s house listing as a result of house directories are owned via the consumer, no longer root.
Word: Some variations of OpenSSH don’t have such strict necessities for the listing construction and possession, however most current Linux distributions (together with Ubuntu 18.04) do.
There are a selection of how to paintings round this possession factor. On this educational, we’re going to create and use
/var/sftp/uploads as the objective add listing.
/var/sftp might be owned via root and is probably not writable via different customers; the subdirectory
/var/sftp/uploads might be owned via sammyfiles, in order that consumer will have the ability to add recordsdata to it.
First, create the directories.
- sudo mkdir -p /var/sftp/uploads
Set the landlord of
/var/sftp to root.
- sudo chown root:root /var/sftp
Give root write permissions to the similar listing, and provides different customers solely learn and execute rights.
Trade the possession at the
uploads listing to sammyfiles.
- sudo chown sammyfiles:sammyfiles /var/sftp/uploads
Now that the listing construction is in position, we will configure the SSH server itself.
Step 3 — Proscribing Get entry to to One Listing
On this step, we’re going to alter the SSH server configuration to disallow terminal get entry to for sammyfiles however permit record switch get entry to.
Open the SSH server configuration record the use of
nano or your favourite textual content editor.
- sudo nano /and many others/ssh/sshd_config
Scroll to the very backside of the record and append the next configuration snippet:
/and many others/ssh/sshd_config
. . . Fit Person sammyfiles ForceCommand internal-sftp PasswordAuthentication sure ChrootDirectory /var/sftp PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no
Then save and shut the record.
Here is what each and every of the ones directives do:
Fit Persontells the SSH server to use the next instructions solely to the consumer specified. Right here, we specify sammyfiles.
ForceCommand internal-sftpforces the SSH server to run the SFTP server upon login, disallowing shell get entry to.
PasswordAuthentication surelets in password authentication for this consumer.
ChrootDirectory /var/sftp/guarantees that the consumer is probably not allowed get entry to to anything else past the
AllowTcpForwarding no. and
X11Forwarding nodisables port forwarding, tunneling and X11 forwarding for this consumer.
This set of instructions, beginning with
Fit Person, can also be copied and repeated for various customers too. Remember to alter the username within the
Fit Person line accordingly.
Word: You’ll fail to remember the
PasswordAuthentication sure line and as an alternative arrange SSH key get entry to for larger safety. Practice the Copying your Public SSH Key segment of the SSH Essentials: Working with SSH Servers, Clients, and Keys educational to take action. Remember to do that prior to you disable shell get entry to for the consumer.
In the next move, we’re going to take a look at the configuration via SSHing in the neighborhood with password get entry to, however for those who arrange SSH keys, you can as an alternative want get entry to to a pc with the consumer’s keypair.
To use the configuration adjustments, restart the carrier.
- sudo systemctl restart sshd
You could have now configured the SSH server to limit get entry to to record switch just for sammyfiles. The final step is checking out the configuration to ensure it really works as meant.
Step 4 — Verifying the Configuration
Let’s make sure that our new sammyfiles consumer can solely switch recordsdata.
Logging in to the server as sammyfiles the use of commonplace shell get entry to will have to not be imaginable. Let’s check out it:
You can see the next message prior to being returned for your authentic steered:
Error messageThis carrier lets in sftp connections solely. Connection to localhost closed.
Which means that sammyfiles can not can get entry to the server shell the use of SSH.
Subsequent, let’s examine if the consumer can effectively get entry to SFTP for record switch.
- sftp sammyfiles@localhost
As a substitute of an error message, this command will display a a success login message with an interactive steered.
SFTP steeredAttached to localhost. sftp>
You’ll checklist the listing contents the use of
ls within the steered:
This may occasionally display the
uploads listing that used to be created within the earlier step and go back you to the
SFTP record checklist outputuploads
To ensure that the consumer is certainly limited to this listing and can not get entry to any listing above it, you’ll check out converting the listing to the only above it.
This command is not going to give an error, however record the listing contents as prior to will display no exchange, proving that the consumer used to be no longer ready to change to the guardian listing.
You could have now verified that the limited configuration works as meant. The newly created sammyfiles consumer can get entry to the server solely the use of the SFTP protocol for record switch and has no skill to get entry to the overall shell.
You could have limited a consumer to SFTP-only get entry to to a unmarried listing on a server with out complete shell get entry to. Whilst this educational makes use of just one listing and one consumer for brevity, you’ll prolong this situation to more than one customers and more than one directories.
The SSH server lets in extra complicated configuration schemes, together with restricting get entry to to teams or more than one customers directly, and even restricted get entry to to sure IP addresses. You’ll to find examples of extra configuration choices and clarification of imaginable directives within the OpenSSH Cookbook. If you happen to run into any problems with SSH, you’ll debug and connect them with this troubleshooting SSH series.