07/05/2018 - LINUX
In this example we are going to create a SFTP server and users on Ubuntu 16.04. Each user will have their own folders, be restricted to them and be defined as "non-interactive shell user" which means they cannot login to the Ubuntu server as a "normal" user. They can only use the sftp
protocol not even the ssh
. At the end of this example, users will be able to upload files into their own folders via a FTP/SFTP client such as FileZilla.
By default OpenSSH comes with the most of the Linux systems so it is ready to be used. Let's confirm.
$ ssh -v localhost
OpenSSH_7.2p2 Ubuntu-4ubuntu2.4, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
Like OpenSSH, OpenBSD Secure Shell server comes with the most of the Linux systems by default so it is ready to be used. Let's confirm.
$ sudo service ssh status
ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2018-05-07 12:30:47 BST; 18min ago
Process: 1742 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Main PID: 1155 (sshd)
Tasks: 1
Memory: 4.5M
CPU: 171ms
CGroup: /system.slice/ssh.service
└─1155 /usr/sbin/sshd -D
May 07 12:30:51 linux systemd[1]: Reloading OpenBSD Secure Shell server.
May 07 12:30:51 linux systemd[1]: Reloaded OpenBSD Secure Shell server.
You will be doing this part only once and never do that again.
# Check if group exists yet.
ubuntu@linux:~$ grep sftp /etc/group
# Create the group.
ubuntu@linux:~$ sudo addgroup sftp
# Check if group exists now.
ubuntu@linux:~$ grep sftp /etc/group
sftp:x:1001:
The main folder must be owned by root:root
and the permissions must be set to 755
. All the sftp
group users will have their home folders created under this main folder.
ubuntu@linux:~$ sudo mkdir /sftp
ubuntu@linux:~$ ls -l /
drwxr-xr-x 2 root root 4096 May 7 12:59 sftp
Steps here are done per user basis so eveytime you create a new sftp user, you will have to repeat these steps.
ubuntu@linux:~$ sudo mkdir /sftp/inanzzz
ubuntu@linux:~$ ls -l /sftp
drwxr-xr-x 2 root root 4096 May 7 20:25 inanzzz
ubuntu@linux:~$ sudo mkdir /sftp/inanzzz/upload
ubuntu@linux:~$ ls -l /sftp/inanzzz
drwxr-xr-x 2 root root 4096 May 7 20:28 upload
This command creates a "non-interactive shell user" inanzzz
, sets his home folder /sftp/inanzzz
and assigns him to sftp
group.
ubuntu@linux:~$ sudo useradd -d /sftp/inanzzz -G sftp inanzzz --shell /usr/sbin/nologin
# Confirm changes
ubuntu@linux:~$ grep inanzzz /etc/passwd
inanzzz:x:1001:1002::/sftp/inanzzz:/usr/sbin/nologin
# User has been assigned tosftp
group
ubuntu@linux:~$ grep sftp /etc/group
sftp:x:1001:inanzzz
# Confirm that user cannot login to system like normal users
ubuntu@linux:~$ sudo su inanzzz
This account is currently not available.
ubuntu@linux:~$ echo -e "123123\n123123" | sudo passwd inanzzz
Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
ubuntu@linux:~$ sudo chown inanzzz:sftp -R /sftp/inanzzz/upload
ubuntu@linux:~$ ls -l /sftp/inanzzz
drwxr-xr-x 2 inanzzz sftp 4096 May 7 20:28 upload
Add lines below to the end of the config file, save, exit and restart SSH server. The Match Group sftp
line is the only one you need to change if you used a different group name than sftp
that I used.
ubuntu@linux:~$ sudo nano /etc/ssh/sshd_config
Subsystem sftp internal-sftp # Use in-process SFTP server
Match Group sftp
ChrootDirectory %h # Prevent user access to anything beyond their home folder
X11Forwarding no # Disable X11 forwarding
AllowTcpForwarding no # Disable tunneling
AllowAgentForwarding no # Disable port forwarding
PermitTunnel no # Disable network tunneling
ForceCommand internal-sftp # Force the connection to use the built-in SFTP server
ubuntu@linux:~$ sudo service ssh restart
Try to access SFTP server from a remote PC with ssh
command.
remote-pc:linux$ ssh inanzzz@192.168.99.20
This account is currently not available.
Connection to 192.168.99.20 closed.
Try to access SFTP server from a remote PC with sftp
command.
remote-server:linux$ sftp inanzzz@192.168.99.20
inanzzz@192.168.99.20's password:
Connected to 192.168.99.20.
sftp>
sftp> pwd
Remote working directory: /
sftp> ls -l
drwxr-xr-x 2 1001 1001 4096 May 7 19:28 upload
sftp> ls -l upload
# Empty
When a user logs in, all he can see is his upload
folder and it's content.
Host: 192.168.99.20
Port: 22
Protocol: SFTP
User: inanzzz
Password: 123123
Assume that inanzzz
has upload a file so let's see the permissions.
ubuntu@linux:~$ ls -l /sftp/inanzzz/upload/
-rw-r--r-- 1 inanzzz inanzzz 5083 May 7 20:41 sftp.txt