In this article, we will learn about how to configure SFTP without enabling the shell access on Ubuntu 14.04, SSH File Transfer Protocol (SFTP) which is a secure way to transfer files from various a servers are to a server using the SSH encrypted connections, which is a different protocol from File Transfer Protocol (FTP) which is supported by all the FTP clients.
Protocol (SFTP) is a secure way to transfer files from various servers to a server using the SSH encrypted connections, which is a different protocol from File Transfer Protocol (FTP) that is supported by all the FTP clients.
SFTP can be configured by using default configuration on all the servers which had the SSH access enabled on the machine. SFTP is a secure and easiest way to use, which has a disadvantage in the standard configuration, that allows terminal shell access to all the SFTP users on the server.
In some organizations, we want to allow only File Transfer and no access to the SSH.
We need to create a new user where we needed to grant only FTP access on the server using the created user and set up a password for the user.
$ sudo adduser ftpuser $ sudo passwd ftpuser Changing password for user ftpuser. New password: Retype new password: passwd: all authentication tokens updated successfully.
We needed to create one folder in the machine which has SSH servers permission requirements which are very important, especially the folder itself and all the sub-folders in the machine and all the above folders are owned by the root and no one should have access to the folders.
We can create the folders in /var/sftp/files /var/sftp is owned by the root user and /var/sftp/files is owned by the ftpuser.
Now we will create the folders which are required and set the permission which is required for the SFTP set up.
$ sudo mkdir -p /var/sftp/files $ sudo chown root:root /var/sftp$ sudo chmod 755 /var/sftp
Now we will give the permission for the /var/sftp/files folder to the newly created user ‘ftpuser’.
$ sudo chown ftpuser:ftpuser /var/sftp/files
Here we will change the configuration file in the SSH server to restrict the SSH terminal access for the newly created user ftpuser but allow the FTP file transfer.
Let edit the SSH configuration using nano and all the below configuration at the end of the file.
$ sudo nano /etc/ssh/sshd_config Output: …. …. # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server Match User ftpuser ForceCommand internal-sftp PasswordAuthentication yes ChrootDirectory /var/sftp PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no
To make sure the configuration we needed to restart the sshd daemon with the below command.
$ sudo systemctl restart sshd
Match User − The configuration is applied to the user specified here in this directive, we specified ftpuser.
ForceCommand internal-sftp − Which restrict the user to log in as SSH user in the terminal and Allows SFTP once the user logged in.
PasswordAuthentication yes − This will allows password authentication to the user specified.
ChrootDirectory /var/sftp/ − Will not all the user beyond the /var/sftp directory.
AllowAgentForwarding no − Will not allow Tunneling to the user we specified.
AllowTcpForwarding no − Will not allow Port Forwarding to the user we specified.
X11Forwarding no − Will not allow X11 Forwarding to the user we specified.
To verify the configuration, we need to check the SSH login from the local machine.
$ ssh ftpuser@localhost output: ftpuser@localhost's password: Could not chdir to home directory /home/ftpuser: No such file or directory This service allows sftp connections only. Connection to localhost closed.
As you can see that connection to the ftpuser is not allowed to login using the SSH.
Now, we will verify the same for SFTP access
$ sftp ftpuser@localhost Output: ftpuser@localhost's password: Connected to localhost. sftp>
As you can see that we have allowed doing the SFTP login and now you can see the folder list using the ls command.
ftp> ls files sftp> ls -l drwxr-xr-x 2 1000 1000 6 Jun 19 13:31 files sftp>
In this article, we have learned How to Configure and Secure SFTP user to login only for SFTP to a single folder and restrict SSH terminal login on Ubuntu 16.04. Where SSH has a more complex configuration and schemes where w can restrict for single user or group or limited access to an IP address.