Setting up a SFTP server and users on Ubuntu 16.04

07/05/2018 - LINUX

In this example we are going to create a SFTP server and users on Ubuntu 16.04. Each user will have their own folders, be restricted to them and be defined as "non-interactive shell user" which means they cannot login to the Ubuntu server as a "normal" user. They can only use the sftp protocol not even the ssh. At the end of this example, users will be able to upload files into their own folders via a FTP/SFTP client such as FileZilla.


OpenSSH


By default OpenSSH comes with the most of the Linux systems so it is ready to be used. Let's confirm.


$ ssh -v localhost
OpenSSH_7.2p2 Ubuntu-4ubuntu2.4, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.

OpenBSD Secure Shell server


Like OpenSSH, OpenBSD Secure Shell server comes with the most of the Linux systems by default so it is ready to be used. Let's confirm.


$ sudo service ssh status
 ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2018-05-07 12:30:47 BST; 18min ago
  Process: 1742 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
 Main PID: 1155 (sshd)
    Tasks: 1
   Memory: 4.5M
      CPU: 171ms
   CGroup: /system.slice/ssh.service
           └─1155 /usr/sbin/sshd -D

May 07 12:30:51 linux systemd[1]: Reloading OpenBSD Secure Shell server.
May 07 12:30:51 linux systemd[1]: Reloaded OpenBSD Secure Shell server.

System specific setup


You will be doing this part only once and never do that again.


Add sftp user group


Only the users who are allowed to use SFTP server will be part of this group.


# Check if group exists yet.
ubuntu@linux:~$ grep sftp /etc/group

# Create the group.
ubuntu@linux:~$ sudo addgroup sftp

# Check if group exists now.
ubuntu@linux:~$ grep sftp /etc/group
sftp:x:1001:

Create the main sftp folder


The main folder must be owned by root:root and the permissions must be set to 755. All the sftp group users will have their home folders created under this main folder.


ubuntu@linux:~$ sudo mkdir /sftp

ubuntu@linux:~$ ls -l /
drwxr-xr-x  2 root root   4096 May  7 12:59 sftp

User specific setup


Steps here are done per user basis so eveytime you create a new sftp user, you will have to repeat these steps.


Create user's home folder


ubuntu@linux:~$ sudo mkdir /sftp/inanzzz

ubuntu@linux:~$ ls -l /sftp
drwxr-xr-x 2 root root 4096 May  7 20:25 inanzzz

Create user's upload folder


ubuntu@linux:~$ sudo mkdir /sftp/inanzzz/upload

ubuntu@linux:~$ ls -l /sftp/inanzzz
drwxr-xr-x 2 root root 4096 May  7 20:28 upload

Create user


This command creates a "non-interactive shell user" inanzzz, sets his home folder /sftp/inanzzz and assigns him to sftp group.


ubuntu@linux:~$ sudo useradd -d /sftp/inanzzz -G sftp inanzzz --shell /usr/sbin/nologin

# Confirm changes
ubuntu@linux:~$ grep inanzzz /etc/passwd
inanzzz:x:1001:1002::/sftp/inanzzz:/usr/sbin/nologin

# User has been assigned to sftp group
ubuntu@linux:~$ grep sftp /etc/group
sftp:x:1001:inanzzz

# Confirm that user cannot login to system like normal users
ubuntu@linux:~$ sudo su inanzzz
This account is currently not available.

Set password


ubuntu@linux:~$ echo -e "123123\n123123" | sudo passwd inanzzz
Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully

Permissions


ubuntu@linux:~$ sudo chown inanzzz:sftp -R /sftp/inanzzz/upload

ubuntu@linux:~$ ls -l /sftp/inanzzz
drwxr-xr-x 2 inanzzz sftp 4096 May  7 20:28 upload

SFTP configuration


Add lines below to the end of the config file, save, exit and restart SSH server. The Match Group sftp line is the only one you need to change if you used a different group name than sftp that I used.


ubuntu@linux:~$ sudo nano /etc/ssh/sshd_config

Subsystem sftp internal-sftp            # Use in-process SFTP server
Match Group sftp
  ChrootDirectory %h                    # Prevent user access to anything beyond their home folder
  X11Forwarding no                      # Disable X11 forwarding
  AllowTcpForwarding no                 # Disable tunneling
  AllowAgentForwarding no               # Disable port forwarding
  PermitTunnel no                       # Disable network tunneling
  ForceCommand internal-sftp            # Force the connection to use the built-in SFTP server

ubuntu@linux:~$ sudo service ssh restart

Tests


Remote access


Try to access SFTP server from a remote PC with ssh command.


remote-pc:linux$ ssh inanzzz@192.168.99.20
This account is currently not available.
Connection to 192.168.99.20 closed.

Try to access SFTP server from a remote PC with sftp command.


remote-server:linux$ sftp inanzzz@192.168.99.20
inanzzz@192.168.99.20's password:
Connected to 192.168.99.20.
sftp>

Listing content of home directory


sftp> pwd
Remote working directory: /

sftp> ls -l
drwxr-xr-x    2 1001     1001         4096 May  7 19:28 upload

sftp> ls -l upload
# Empty

FileZilla


When a user logs in, all he can see is his upload folder and it's content.


Host: 192.168.99.20
Port: 22
Protocol: SFTP
User: inanzzz
Password: 123123

Assume that inanzzz has upload a file so let's see the permissions.


ubuntu@linux:~$ ls -l /sftp/inanzzz/upload/
-rw-r--r-- 1 inanzzz inanzzz 5083 May  7 20:41 sftp.txt