DEV Community

loading...
Cover image for A step-by-step guide to set up an SFTP file transfer server in Linux

A step-by-step guide to set up an SFTP file transfer server in Linux

CodeFuture
Originally published at blog.codefuture.dev ・4 min read

In this tutorial, we are going to learn how to set up a remote server for secure file transfer between the user's local machine and remote server over SFTP. SFTP is known as Secure File Transfer Protocol or SSH File Transfer Protocol.

Before we start, please ensure the following:

  1. You have access to a Linux remote machine (this tutorial used Ubuntu server distro 20.xx)
  2. You have login access to a remote machine through SSH
  3. The User access you have is listed under sudo group
  4. The local machine can be of any OS - Mac, Linux, Windows, etc. - on which you can have access to a remote machine through SSH.

Let's first set up a user account typing the following commands in a terminal of the remote machine.

1. Create a user group

sudo groupadd sftpgroup
Enter fullscreen mode Exit fullscreen mode

2. Create user

sudo useradd -m vyndour 
Enter fullscreen mode Exit fullscreen mode

3. Assign a password to the user

sudo passwd vyndour
Enter fullscreen mode Exit fullscreen mode

4. Add user to our sftpgroup

sudo usermod -a -G sftpgroup vyndour
Enter fullscreen mode Exit fullscreen mode

6. Make user the owner of it's own directory

sudo chown vyndour /home/vyndour
Enter fullscreen mode Exit fullscreen mode

5. Give read(r),write(w) and execute(x) access of user's directory to only user

sudo chmod 700 /home/vyndour
Enter fullscreen mode Exit fullscreen mode

In case we need to add more users, we can repeat steps 2-6.

Now, let's install the openssh server and set up SFTP settings.

7. First, let's update the existing packages

sudo apt update
sudo apt upgrade
Enter fullscreen mode Exit fullscreen mode

8. Install openssh-sever

sudo apt install openssh-server
Enter fullscreen mode Exit fullscreen mode

9. Open SSHD_config file

sudo nano /etc/ssh/sshd_config
Enter fullscreen mode Exit fullscreen mode

10. Copy the following lines at the end of the _sshd_config_file

# FOR SSH key authentication

PubkeyAuthentication yes
AuthorizedKeysFile    .ssh/authorized_keys

# FOR password authentication

PasswordAuthentication yes

#  SFTP configuration

Match group sftpgroup
ChrootDirectory /home
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Enter fullscreen mode Exit fullscreen mode
ctrl+s : save the sshd_config file and ctr+x: exit from sshd_config file

If we want SSH key authentication for SFTP file transfer, we need to set PubkeyAuthentication yes and also we need to specify the file name holding SSH public key AuthorizedKeysFile .ssh/authorized_keys. We will create SSH key in step - 12 below.

Similarly, if we want password authentication for SFTP file transfer, we need to set PasswordAuthentication yes. The password is the user's password that we have set earlier in step-3.

11. For SSH public key authetication , follow the following steps to create and install SSH keys

Open a terminal in our local machine, and create a pair of SSH private and public keys by running the following command.

ssh-keygen -f sftp_rsa -t rsa
Enter fullscreen mode Exit fullscreen mode

Once we run the above command, two files will be generated - one private key sftp_rsa and the public key sftp_rsa.pub. Let's Keep the private key securely with read(r) access to only the user in the user's local system.

We can always change the type of key. Let's stick to the default RSA type key in this tutorial.

# On  user's local machine
sudo chmod 400 <path to the private key in user's local machine>
Enter fullscreen mode Exit fullscreen mode

Then, in our remote PC create a file in /home/vyndour/.ssh and name it as authorized_keys. Copy the content of public key sftp_rsa.pub from local machine to authorized_keys file in a remote machine.

create a .ssh directory in the user's directory in the remote machine.

sudo mkdir /home/vyndour/.ssh
Enter fullscreen mode Exit fullscreen mode

Open a new file with the name authorized_keys in the remote machine

    sudo nano /home/vyndour/.ssh/authorized_keys
Enter fullscreen mode Exit fullscreen mode

Manual task: copy and paste the content manually from sftp_rsa.pub (local machine) key to the authorized_keys (remote machine)

Deny write(w) and execute(x) of authorized_keys by the user with the following command in the remote machine.

sudo chmod 644 /home/vyndour/.ssh/authorized_keys
Enter fullscreen mode Exit fullscreen mode

As an alternative to the above method, you can transfer the public-key file sftp_rsa to the remote server using SCP. In our local machine, use SCP to transfer sftp_rsa.pub file to root directory of remote machine with the following command.

sudo scp -i <ssh key that gives access to remote machine> <path to public key in user's local machine> <sudo user>@<ip address of remote machine>:/
Enter fullscreen mode Exit fullscreen mode

create a .ssh directory in the user's directory in the remote machine.

sudo mkdir /home/vyndour/.ssh
Enter fullscreen mode Exit fullscreen mode

In the remote machine, create a file in /home/vyndour/.ssh and name it as authorized_keys, and append the key from sftp_rsa.pub file located in root directory/.

sudo touch /home/vyndour/authorized_keys
sudo cat /sftp_rsa.pub >> /home/vyndour/.ssh/authorized_keys
Enter fullscreen mode Exit fullscreen mode

Deny delete of authorized_keys by the user with the following command in the remote machine.

sudo chmod 644 /home/vyndour/.ssh/authorized_keys
Enter fullscreen mode Exit fullscreen mode

Don't forget to remove the public key from the root directory.

sudo rm /sftp_rsa.pub
Enter fullscreen mode Exit fullscreen mode

12. Restart SSH

Let's now restart the ssh server with the following command:

sudo systemctl restart sshd
Enter fullscreen mode Exit fullscreen mode

13. Monitor the logs (Optional for debugging)

In case we need to debug the login through SSH, we can open the /var/log/auth.log file to live monitor the logs.

sudo tail -f /var/log/auth.log
Enter fullscreen mode Exit fullscreen mode

14. Browse User's directory from the local machine

We can now use software like FileZilla, Cyberduck, or similar to browse the user directory in the remote machine over SFTP with the following typical entries in our local machine:

  • Host: sftp://vyndour@

  • Port : 22 # Default SSH port

  • Password: User's password # if PasswordAuthentication yes in sshd_config file

  • Private key path: # if PubkeyAuthentication yes in sshd_config file

We are done! :)
I hope you enjoyed this post. I would appreciate your feedback/suggestions/comments in the comment section below.

Thanks.

Follow Me :

YouTube CodeFuture , Twitter

#SFTP #Linux #Ubuntu #SSH #File Transfer

Discussion (0)