How To Configure and Secure SFTP Without Providing Shell Access on Ubuntu 16.04

UbuntuFile SystemNetwork

In this article, we will learn about how to configure SFTP without enabling the shell access on Ubuntu 14.04, SSH File Transfer Protocol (SFTP) which is a secure way to transfer files from various a servers are to a server using the SSH encrypted connections, which is a different protocol from File Transfer Protocol (FTP) which is supported by all the FTP clients.

Protocol (SFTP) is a secure way to transfer files from various servers to a server using the SSH encrypted connections, which is a different protocol from File Transfer Protocol (FTP) that is supported by all the FTP clients.

SFTP can be configured by using default configuration on all the servers which had the SSH access enabled on the machine. SFTP is a secure and easiest way to use, which has a disadvantage in the standard configuration, that allows terminal shell access to all the SFTP users on the server.

In some organizations, we want to allow only File Transfer and no access to the SSH.

Pre-requisites

  • Ubuntu 14.04 installed on the machine.
  • A normal user with sudo permission on the machine.

Creating User for SFTP

We need to create a new user where we needed to grant only FTP access on the server using the created user and set up a password for the user.

$ sudo adduser ftpuser

$ sudo passwd ftpuser

Changing password for user ftpuser.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Creating Folder for FTP Access

We needed to create one folder in the machine which has SSH servers permission requirements which are very important, especially the folder itself and all the sub-folders in the machine and all the above folders are owned by the root and no one should have access to the folders.

We can create the folders in /var/sftp/files /var/sftp is owned by the root user and /var/sftp/files is owned by the ftpuser.

Now we will create the folders which are required and set the permission which is required for the SFTP set up.

$ sudo mkdir -p /var/sftp/files
$ sudo chown root:root /var/sftp$ sudo chmod 755 /var/sftp

Now we will give the permission for the /var/sftp/files folder to the newly created user ‘ftpuser’.

$ sudo chown ftpuser:ftpuser /var/sftp/files

Restrict the Access to the Folder

Here we will change the configuration file in the SSH server to restrict the SSH terminal access for the newly created user ftpuser but allow the FTP file transfer.

Let edit the SSH configuration using nano and all the below configuration at the end of the file.

$ sudo nano /etc/ssh/sshd_config
Output:
….
….
# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
Match User ftpuser
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

To make sure the configuration we needed to restart the sshd daemon with the below command.

$ sudo systemctl restart sshd

Directives used in the above Configuration are

  • Match User − The configuration is applied to the user specified here in this directive, we specified ftpuser.

  • ForceCommand internal-sftp − Which restrict the user to log in as SSH user in the terminal and Allows SFTP once the user logged in.

  • PasswordAuthentication yes − This will allows password authentication to the user specified.

  • ChrootDirectory /var/sftp/ − Will not all the user beyond the /var/sftp directory.

  • AllowAgentForwarding no − Will not allow Tunneling to the user we specified.

  • AllowTcpForwarding no − Will not allow Port Forwarding to the user we specified.

  • X11Forwarding no − Will not allow X11 Forwarding to the user we specified.

Verify the Configuration

To verify the configuration, we need to check the SSH login from the local machine.

$ ssh ftpuser@localhost
output:
ftpuser@localhost's password:
Could not chdir to home directory /home/ftpuser: No such file or directory
This service allows sftp connections only.
Connection to localhost closed.

As you can see that connection to the ftpuser is not allowed to login using the SSH.

Now, we will verify the same for SFTP access

$ sftp ftpuser@localhost
Output:
ftpuser@localhost's password:
Connected to localhost.
sftp>

As you can see that we have allowed doing the SFTP login and now you can see the folder list using the ls command.

ftp> ls
files
sftp> ls -l
drwxr-xr-x    2 1000    1000       6 Jun 19 13:31 files
sftp>

In this article, we have learned How to Configure and Secure SFTP user to login only for SFTP to a single folder and restrict SSH terminal login on Ubuntu 16.04. Where SSH has a more complex configuration and schemes where w can restrict for single user or group or limited access to an IP address.

raja
Published on 23-Jan-2020 07:34:09
Advertisements