Setup SFTP server in Linux

Linux / By

In this tutorial we will see how to setup SFTP server in Linux and how can we configure another SFTP user who can only download the file but can’t upload files to SFTP server. We have taken Amazon Linux 2 server for this tutorial.

Prerequisites:

We need root privileges for creating SFTP user and configuring SFTP server.

Create SFTP user:

First create one sftp user with /sbin/nologin shell.

useradd -s /sbin/nologin username

Set password for newly created user.

passwd username

Change SSHD configuration file for SFTP user

Change PasswordAuthentication no to PasswordAuthentication yes in /etc/ssh/sshd_config file.

Comment this line Subsystem sftp /usr/libexec/openssh/sftp-server and add Subsystem sftp internal-sftp next to that line in /etc/ssh/sshd_config file.

Now, add the following line at the bottom of the /etc/ssh/sshd_config file.

Match User username
ChrootDirectory sftp-directory
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Note: Replace username with your SFTP user and sftp-directory with directory which you want to use for SFTP server.

Save the SSHD configuration file and restart sshd service to make effective these changes.

Create a directory for SFTP server:

Create one directory for SFTP server and make root as owner of that directory.

mkdir DIRECTORY_NAME
chown root:root DIRECTORY_NAME

Note: Make ensure that the ChrootDirectory which you have given in sshd configuration file owned by root only. Otherwise SFTP server will not work.

If you have given nested directory as ChrootDirectory then it is necessary that all directory are owned by root. Suppose you have defined /folder1/folder2/folder3 in ssh configuration file then you need to set root as owner for all these 3 directories.

Create one directory inside ChrootDirectory and give ownership to sftp user.

Test SFTP user with FileZilla

Open FileZilla client and provide Host IP, Username, Password, SSH port, and then click on Quickconnect.

If Unknown host key come up then check on Always trust this host, add this key to the cache box and click on ok.

After successful login you can see uploads folder in Remote site section.

Now try to upload some files from local system to sftp server and download some files from sftp server to local system.

Scenario: 2 Restricting SFTP user to only download files

Suppose if our requirement is that we want to create another SFTP user which have only permission of view and download the files. But he can’t upload files via SFTP.
To configure that create another user by following same steps as shown above and set a password for that user.

Modify SSHD configuration file for newly created user as we have done before and restart sshd service. Same has been shown in below screenshot.

Use ACL to give read & execute permission to second sftp user to that directory from which user can only view and download files but can not upload.

setfacl -Rm u:username:rx ChrootDirectory/folder1/

Now login to SFTP server with second user by using FileZilla client and try to download some files.
You can see that you are able to download file. But if you try to upload some file to SFTP server then it will fail.