In this guide we will try to configure SFTP server in our CentOS 8 Linux. By default you dont need to configure SFTP for normal operations. That means any user who can remotely login to server via SSH can also access the SFTP server. The default directory will be user's home directory. But users are free to roam with in server root file system. That is a security breach. To tackle this issue you have to make some changes in your
/etc/ssh/sshd_config file. But before this, lets try to know what is FTP and SFTP and how they are differ from each other.
FTP : File Transfer Protocol aka FTP is an insecure network protocol which is used to transfer (download/upload) data over network in a plain text format from one system to another system.
SFTP : SFTP (SSH File Transfer Protocol) is an in-built network protocol, usually run as SSH subsystem , that provides file transfer operations.SFTP-Server module is used to implemets with SSH-Server for this process . SFTP-Server does not interact directly to provide its services so it integreted with SSH by using internal-sftp subsystem. Basic SFTP service requires no additional setup.
And in this guide, We setup and configure the SFTP server with multiple scenarios.
Pre-Requisite: A CentOS-Redhat 7/8 operating system with installed openssh-server and openssh-clients packages.
To check this run below command.
rpm -qa openssh-server
rpm -qa openssh-clients
Scenarios 1
Configure SFTP server with chroot environment with password authentication and restrict SSH for a user
In our this scenario, We will configure SFTP server to allow only specified user to access SFTP within their specified directory path without allowing SSH login and root files system access (chroot). To accomplish this we have to follow below steps. lets start...
1) Create a user named "sftpuser" which will be used to authenticate by our clients in order to access our SFTP server
adduser sftpuser
passwd sftpuser
2) Now create a directory named downloads which will be serve to transfer files by SFTP server.
mkdir -p /var/sftp/downloads
3) Now we have to set permissions for our /var/sftp/ and /var/sftp/downloads so clients have appropriate permissions over files and directories.
chmod 755 /var/sftp
chown root:root /var/sftp
chown sftpuser:sftpuser /var/sftp/downloads
In above step , root has ownership and full permissions over /var/sftp/ directory and other only have read and execute permissions and sftpuser has full permissions and ownership over
/var/sftp/downloads.
6) Now edit the /etc/ssh/sshd_config file and append below lines.
1) If you want to setup SSH key base authentication then use ssh-copy-id command to transfer the public key to server before editing the sshd_conf file and remove the
PasswordAuthentication line from the below configuration.
2) Commented out the existing Subsystem directive then append below one before any Match directive
Match User sftpuser
ForceCommand internal-sftp -d /downloads
PasswordAuthentication yes
ChrootDirectory /var/sftp/
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
Lets understand the above configuration
a)
internal-sftp implements an in-process SFTP server(dont run sftp-server process separately). This may simplify configurations using ChrootDirectory to force a different filesystem root on clients
b)
c)
d)
ForceCommand and ignore any command supplied by client. This will restrict the user to execute any command except specified one.
e)
f)
g)
7) Now restart the sshd services. And adjust firewall settings.
sudo systemctl restart sshd.service
sudo firewall-cmd --permanent --add-port=22/tcp
8) Try to access the SFTP server from client machine or from same machine with sftpuser username.
In above example picture, You can see that we have configured our SFTP server to access only specified directory with in chroot environment.
9) Try to remote login to server by SSH command.
You will get error as shown in above example.
This is how you can configure the SFTP server for a user/s with chroot environment
Scenario 2
Now we will configure our SFTP server with multiuple users(group) within their own saperated directory paths with chroot environment. User will not able to go beyond that directory path and can not modify another user's files. Lets start...
I have created two user accounts named clinet1 and client2 for this scenario & set password for both accounts and now we have to add these users to a new group. lets do it...
1) First of all create a new group for our SFTP server
groupadd sftpgrp
2) Add your sftp users to this new group
usermod -aG sftpgrp client1
usermod -aG sftpgrp client2
3) Now create a new directory which will act as root directory for our chroot jailed user.
mkdir -p /var/sftp/users/
4) Create new directory for each user under the chroot /var/sftp/users/ directory
mkdir -p /var/sftp/users/client1/
mkdir -p /var/sftp/users/client2/
5) Change the permissions for our newly created directories accordingly.
chmod 755 /var/sftp
chown root:root /var/sftp
chmod 755 /var/sftp/users
chown root:sftpgrp /var/sftp/users
chmod 750 /var/sftp/users/client1
chown -R client1:client /var/sftp/users/client1
chmod 750 /var/sftp/users/client2
chown -R client2:client2 /var/sftp/users/client2
6) Now open the /etc/ssh/sshd_config file and append the below configuration under it. If you want to set SSH key base login then do it before editing sshd_config file.
Match Group sftpgrp
ForceCommand internal-sftp -d %u
PasswordAuthentication yes
ChrootDirectory /var/sftp/users/
Lets understand the configuration options
a)
Match block
b)
c) -d option is used to "start/directory/path" for login account and %u token is for "login-account-username". That means SFTP command will redirect login user to specified directory with in its username directory.
d)
Subsystem directive line from the sshd configuration file
7) Restart the sshd services & setup firewall rules.
systemctl restart sshd
8) try out SFTP server from local or remote machine.
sftp client1@localhost
sftp client2@localhost
Test your configuration e.g browsing another user's home directory and try to create some files or try to access / root file system or beyond the chroot environment.
9) Exit from SFTP server and Try out access SSH login using same user.
ssh client1@localhost
Thats how you can configure SFTP for multiple users with separated directories
Scenario 3
In above scenarios we have seen that
Configure SFTP server to restrict a user to access SFTP file server
Lets assume you have an user account on your SFTP server named admin. and you don't want to allow admin user to access SFTP file services. So you can disable the SFTP for admin user by editing the sshd_config file.
Append the below configuration for you admin account
Match User admin
ForceCommand /usr/bin/false
#OR
DenyUsers admin
To restrict user admin you can use either ForceCommand directive OR DenyUsers directive.
Once you save the configuration and restart your sshd.service.
systemctl restart sshd
And try to access SFTP via admin user. You will not allowed to access SFTP anymore.
sftp admin@localhost
Configure the SFTP server for any regular user with limited shell access with no SFTP access
However above configuration also block user to access SSH login on SFTP server. This is due to security concern because if user is not permitted to access SFTP file server but allowed SSH login, he still can do anything on server if he/she has enough permissions. He can access the file/directories and even root files system on server.
But if you really need to permit your user to access SSH login due to some important tasks e.g monitoring server resources with top command. you can do that by configuring the sshd_config file. Below is the configuration to do that.
Match User admin
ForceCommand /bin/top
DisableForwarding yes
The above configuration allow user admin to run top command on SFTP server remotely. But when you try to access the sftp it will give you an error. DisableForwarding allows you to enable/disable all forwarding.
If you need multiple tasks to execute on SFTP server then you can write a script and give absolute path to your script in ForceCommand. This is how you can configure the SFTP server for any regular user with limited shell access with no SFTP access
Other Scenarios
So we have learned how to configure SFTP File Server under different scenarios. But there are many other scenarios as well. Some are briefly explained below.
1) Access SFTP File server from specific machine IP address. And block access from any other machine IP. Just append below configuration in /etc/ssh/sshd_config file.
Note: Address option should have same ip address(xx.xx.xx.xx) in both Match directives.
2) If you want to change the files permission which are newly created/transferred to SFTP Server then you can use the umask option to achieve this. Just edit below line in your /etc/ssh/sshd_config file.
Where -u option is stand for umask and 0022 means file owner will have full permissions and group and other have only read execute permissions.
SFTP Commands
Read How To Run SFTP Commands To Transfer Files
These are some basic methods to configure our SFTP server. You can learn more about SFTP and sshd_config file from
official documentation page.
Hope this guide helped you to start configuring your own SFTP server
references:
ssh_config(5) , OpenSSH WikiBooks , sftp-server(8) , digitalocean , redhat , serverfault
0 Comments