SFTP is a file transfer protocol. It wraps the File Transfer Protocol (FTP) inside the Secure Shell (SSH) protocol. This allows the communication to be protected as it moves from one point to another.
This article assumes you are trying to create new SFTP users on your linux machine. In this example we’ll be using Ubuntu 18.04.
Enabling and Creating SFTP users:
To enable SFTP you have to enable it inside your SSH configuration file. It’s often located here: /etc/ssh/sshd_config. Open the file and add the following to the end of the configuration file:
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
Match group sftp
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp
Options explained:
Option | Description |
---|---|
Subsystem | An abstraction layer that allows you to invoke remote commands. In this instance, we’re invoking sftp-server. |
Match | Allows you to limit actions in shell, in this instance we’re limiting the actions to a specific group – sftp. Only those users inside the SFTP group will be able to SFTP into the server. |
X11Forwarding | This is a special case for remote tunneling. Unfortuantely it can be used maliciously by a bad actor, so it’s recommended your disable unless you know what you’re doing. |
AllowTCPForwarding | “TCP Forwarding” allows you to encapsulate any other protocol (based on TCP of course) inside an already established SSH connection. There are a lot of reasons for this, but we don’t want to allow SFTP users to use this without appropriate planning. |
ForceCommand | The remote system can only execute a set of statically defined commands. Specifying a command of internal-sftp will force the use of an in-process SFTP server that requires no support files when used with ChrootDirectory. |
Once you add this to the SSH config file you need to restart OpenSSH:
service ssh restart
Now you need to add new SFTP users, and apply the user to the right group.
useradd -m [newsftpuser] -g sftp
Set the password:
passwd [newsftpuser]
Now you can test your SFTP connection, from a different server:
sftp [newsftpuser]@[serverIPaddress]