SFTP stands for Secure File Transfer Protocol, it is one of the most common method which is used to transfer files securely over ssh from our local system to remote server and vice-versa. The main advantage of sftp is that we don’t need to install any additional package except ‘openssh-server’, in most of the Linux distributions ‘openssh-server’ package is the part of default installation. Other benefit of sftp is that we can allow user to use sftp only not ssh.
Recently Debian 10, Code name ‘Buster’ has been released, in this article we will demonstrate how to configure sftp with Chroot ‘Jail’ like environment in Debian 10 System. Here Chroot Jail like environment means that User’s can go beyond from their respective home directories or users cannot change directories from their home directories. Following are the lab details:
- OS = Debian 10
- IP Address = 192.168.56.151
Let’s jump into SFTP Configuration Steps,
Step:1) Create a Group for sftp using groupadd command
Open the terminal, create a group with a name “sftp_users” using below groupadd command,
[email protected]:~# groupadd sftp_users
Step:2) Add Users to Group ‘sftp_users’ and set permissions
In case you want to create new user and want to add that user to ‘sftp_users’ group, then run the following command,
Syntax: # useradd -m -G sftp_users <user_name>
Let’s suppose user name is ’Jonathan’
[email protected]:~# useradd -m -G sftp_users jonathan
set the password using following chpasswd command,
[email protected]:~# echo "jonathan:<enter_password>" | chpasswd
In case you want to add existing users to ‘sftp_users’ group then run beneath usermod command, let’s suppose already existing user name is ‘chris’
[email protected]:~# usermod -G sftp_users chris
Now set the required permissions on Users,
[email protected]:~# chown root /home/jonathan /home/chris/
Create an upload folder in both the user’s home directory and set the correct ownership,
[email protected]:~# mkdir /home/jonathan/upload [email protected]:~# mkdir /home/chris/upload [email protected]:~# chown jonathan /home/jonathan/upload [email protected]:~# chown chris /home/chris/upload
Note: In upload folder, user like Jonathan and Chris can upload files and directories from their local system .
Step:3) Edit sftp configuration file (/etc/ssh/sshd_config)
As we have already stated that sftp operations are done over the ssh, so it’s configuration file is “/etc/ssh/sshd_config“, Before making any changes I would suggest first take the backup and then edit this file and add the following content,
[email protected]:~# cp /etc/ssh/sshd_config /etc/ssh/sshd_config-org [email protected]:~# vim /etc/ssh/sshd_config ……… #Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp internal-sftp Match Group sftp_users X11Forwarding no AllowTcpForwarding no ChrootDirectory %h ForceCommand internal-sftp …………
Save & exit the file.
To make above changes into the affect, restart ssh service using following systemctl command
[email protected]:~# systemctl restart sshd
In above ‘sshd_config’ file we have commented out the line which starts with “Subsystem” and added new entry “Subsystem sftp internal-sftp” and new lines like,
“Match Group sftp_users” –> It means if a user is a part of ‘sftp_users’ group then apply rules which are mentioned below to this entry.
“ChrootDierctory %h” –> It means users can only change directories within their respective home directories, they cannot go beyond their home directories, or in other words we can users are not permitted to change directories, they will get jai like environment within their directories and can’t access any other user’s and system’s directories.
“ForceCommand internal-sftp” …