×


Create SFTP User with Specified Directory Permissions in Ubuntu 20.04 - Step by Step Process ?

SFTP stands for Secure File Transfer Protocol that we used for secure data transfer to and from your local system.

It works over SSH Protocol and hence is considered to be more secure than the simple FTP (File Transfer Protocol). 

Data transferring is a routine based task of every system administrator and other developers who need to make changes in their code.

Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to configure SFTP Server on their Ubuntu based Server.

In this context, we shall look into steps to configure SFTP Server and create users with their specified directory permissions.


How to configure SFTP User with Specified Directory Permissions on Ubuntu ?

To begin, we need to make sure that we have sudo or root user privileges on the server where we need to create SFTP Users.

Let's start by login into the system using ssh for which you can use the Putty or Shell terminal of your Linux Desktop:

# ssh -i key.pem ubuntu@your_server_ip
# sudo -i

You can also directly login to your system as well, but make sure to use your own username and credentials.


1. How to create New SFTP Only User ?

To create a new user for SFTP is as similar as we do for adding any other general users. 

But in order to restrict that to be used for SFTP purposes only, we will assign it to no login shell.

i. Run the command below to create an SFTP user by specifying its custom home directory.

# useradd -m -d /home/example.com sftp_user

ii. Set the password of the newly created user using 'passwd' command as below.

# passwd sftp_user

iii. Make sure to set a complex password for its security. Then assign it a nologin shell by modifying the 'passwd' file as below:

# vim /etc/passwd
sftp_user:x:1001:1001::/home/example.com:/usr/sbin/nologin

iv. Save and close using :wq! To apply changes.


2. Setup Directory Permissions

After creating the new user, we need to set up the right directory permissions and ownership to the user's directory that we have created in the first step:

# chmod 755 /home/example.com/
# chown root:root /home/example.com


3. Restrict Directory Access

Now we have a new SFTP only user in place, next we need to restrict its directory access to be accessible to its specified home folder that we created.

i. In order to do so, we are going to modify the ssh configuration file by adding the following parameters:

# vim /etc/ssh/sshd_config
subsystem sftp internal-sftp
Match User sftp_user
ChrootDirectory %h
AllowTCPForwarding no
X11Forwarding no
PasswordAuthentication yes
ForceCommand internal-sftp

ii. Before saving the made changes, make sure to add your username against 'Match User', whereas '%h' represents the home directory of your newly created user within the restricted environment. 

This 'ChrootDirectory' will ensure that your SFTP user won't have access to any other directory.

iii. Save the ssh configuration file, verify the syntax if there is an issue and then restart its services and confirm if it's running using the below commands:

# ssh -t
# systemctl restart sshd
# systemctl status sshd

Here, you can see that first there was an error in the ssh configuration file that we fixed by commenting out the additional entry and restart sshd service.


4. How to test SFTP Login ?

At this point, we are ready to use our SFTp user but before that let's test it to make sure it has only SFTP access by using the ssh command:

# ssh@xx.xx.xx.xx

Whereas xx needs to be replaced with your own server IP. 

As a result, you should get the connection failure.


5.  How to use the SFTP Client ?

There are a couple of SFTP clients available to use for the cross-platform operating system and you can use your favorite one. We are going to test it using FileZilla which is one of the best and most useful FTP/SFTP clients available to use. 

You can easily download it from their official link.

Let's open it in your system and give the IP address of your SFTP server along with your created username and password.

Upon successful credentials, you will be able to have access to your specified directory only where you can upload or download the data.


[Need urgent assistance in configuring SFTP on your Server? We can help you. ]


Conclusion

This article covers steps to setup and new SFTP server by making the ssh configuration changes, adding new users, and assigning the required directory permissions. You can add as many users as you want or simply create a new group and make new users part of that group.

FTP is a great protocol for accessing and transferring files, but it has the shortcoming of being a clear text protocol. 

In other words, it's not secure to use over an internet connection, since your credentials and data are transmitted without encryption. 

The 'S' in SFTP stands for 'Secure' and tunnels the FTP protocol through SSH, providing the encryption needed to establish a secure connection.


To Configure SSH daemon on Ubuntu:

1. SFTP requires SSH, so if SSH server is not already installed on your system, install it with the following command:

$ sudo apt install ssh

2. Once SSH is installed, we need to make some changes to the SSHD configuration file. Use nano or your favorite text editor to open it:

$ sudo nano /etc/ssh/sshd_config

3. Scroll to the bottom of the file and add the following 5 lines at the very end and save file:

Match group sftp
ChrootDirectory /home
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

4. Restart the SSH service for these new changes to take effect:

$ sudo systemctl restart ssh