Secure file transfer protocol (SFTP) is a secure way of transferring files between a local and remote computer using an encrypted SSH session. It is an improved version of the traditional file transfer protocol (FTP), which adds a layer of security during the file transfer and connection establishment processes.
In this guide, you will set up SFTP User accounts on Ubuntu 20.04, and allow the user to strictly access files within the home directory.
Prerequisites
Setup SFTP
Create a new SFTP Users Group. Replace sftpcorner
with your desired group name.
$ sudo addgroup sftpcorner
Create a new user account. Replace exampleuser
with your desired user name.
$ sudo adduser exampleuser
Enter the user’s full name, password to continue.
Then, add the user to the SFTP group.
$ sudo usermod -G sftpcorner exampleuser
Restrict the user from accessing files outside the home directory.
$ sudo chown root:root /home/exampleuser
Now, create new subdirectories within the user home directory. These are used for file transfer.
$ sudo mkdir /home/exampleuser/uploads
Grant the user ownership rights to the subdirectories.
$ sudo chown -R exampleuser:exampleuser /home/exampleuser/uploads
Then, allow read and write permissions to all files within the home directory.
$ sudo chmod -R 755 /home/exampleuser/
Configure SFTP
With the sftp
group and user accounts created, enable SFTP in the main SSH configuration file.
Using an editor of your choice, open the file /etc/ssh/sshd_config
.
$ sudo vim /etc/ssh/sshd_config
Add the following lines to the end of the file. Replace sftpcorner
with your actual sftp
group.
Match Group sftpcorner
ChrootDirectory %h
PasswordAuthentication yes
AllowTcpForwarding no
X11Forwarding no
ForceCommand internal-sftp
Save and close the file.
Below are the functions for each of the above configuration lines:
- Match Group sftpcorner: Match the user group
sftpcorner
. - ChrootDirectory %h: Restrict access to directories within the user's home directory.
- PasswordAuthentication yes: Enable password authentication.
- AllowTcpForwarding no: Disable TCP forwarding.
- X11Forwarding no: Don't permit Graphical displays.
- ForceCommand internal-sftp: Enable SFTP only with no shell access.
Also, confirm if SFTP is enabled (it is by default). The line below should be uncommented in /etc/ssh/sshd_config
:
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
Restart the SSH server for changes to take effect.
$ sudo systemctl restart sshd
Login to SFTP
Open a new terminal window and log in with sftp
using a valid user account and password.
$ sftp exampleuser@SERVER-IP
OR
$ sftp exampleuser@127.0.01 (If running within the same server SSH session)
List files within the directory. Your output should be similar to the one below:
exampleuser@127.0.0.1's password:
Connected to 127.0.0.1.
sftp> ls
uploads
sftp>
Also, try creating a new directory within the subdirectory to test user permissions.
sftp> cd uploads
sftp> mkdir files
Confirm creation of the new directory:
sftp> ls
files
sftp>
FileZilla and Cyberduck are the most popular SFTP clients available for Windows, Mac, and Linux desktop to test connectivity using a desktop client.
Conclusion
In this guide, you successfully set up SFTP on a Ubuntu 20.04 server, then tested connectivity through a terminal session and FileZilla. You can create multiple users with different directories to securely upload and download files on your server.