A step-by-step guide to set up an SFTP file transfer server in Linux
Authentication through SSH key or User's password
In this tutorial, we are going to learn how to set up a remote server for secure file transfer between the user's local machine and remote server over SFTP. SFTP is known as Secure File Transfer Protocol or SSH File Transfer Protocol.
Before we start, please ensure the following:
- You have access to a Linux remote machine (this tutorial used Ubuntu server distro 20.xx)
- You have login access to a remote machine through SSH
- The User access you have is listed under sudo group
- The local machine can be of any OS - Mac, Linux, Windows, etc. - on which you can have access to a remote machine through SSH.
Let's first set up a user account typing the following commands in a terminal of the remote machine.
1. Create a user group
sudo groupadd sftpgroup
2. Create user
sudo useradd -m vyndour
3. Assign a password to the user
sudo passwd vyndour
4. Add user to our sftpgroup
sudo usermod -a -G sftpgroup vyndour
6. Make user the owner of it's own directory
sudo chown vyndour /home/vyndour
5. Give read(r),write(w) and execute(x) access of user's directory to only user
sudo chmod 700 /home/vyndour
In case we need to add more users, we can repeat steps 2-6.
Now, let's install the openssh server and set up SFTP settings.
7. First, let's update the existing packages
sudo apt update sudo apt upgrade
8. Install openssh-sever
sudo apt install openssh-server
10. Open SSHD_config file
sudo nano /etc/ssh/sshd_config
11. Copy the following lines at the end of the _sshd_config_file
# FOR SSH key authentication PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys # FOR password authentication PasswordAuthentication yes # SFTP configuration Match group sftpgroup ChrootDirectory /home X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp
ctrl+s : save the _sshd_config_ file and ctr+x: exit from _sshd_config_ file
If we want SSH key authentication for SFTP file transfer, we need to set
PubkeyAuthentication yesand also we need to specify the file name holding SSH public key
AuthorizedKeysFile .ssh/authorized_keys. We will create SSH key in step - 12 below.
Similarly, if we want password authentication for SFTP file transfer, we need to set
PasswordAuthentication yes. The password is the user's password that we have set earlier in step-3.
12. For SSH public key authetication , follow the following steps to create and install SSH keys
Open a terminal in our local machine, and create a pair of SSH private and public keys by running the following command.
ssh-keygen -f sftp_rsa -t rsa
Once we run the above command, two files will be generated - one private key
sftp_rsa and the public key
sftp_rsa.pub. Let's Keep the private key securely with read(r) access to only the user in the user's local system.
We can always change the type of key. Let's stick to the default RSA type key in this tutorial.
# user's local machine sudo chmod 400 <path to the private key in user's local machine>
Then, in our remote PC create a file in
/home/vyndour/.ssh and name it as
authorized_keys. Copy the content of public key
sftp_rsa.pub from local machine to
authorized_keys file in a remote machine.
# create a .ssh directory in the user's directory in the remote machine sudo mkdir /home/vyndour/.ssh # Open a new file with the name ```authorized_keys``` in the remote machine sudo nano /home/vyndour/.ssh/authorized_keys #Manual task: copy and paste the content manually from ```sftp_rsa.pub``` (local machine) key to the ```authorized_keys``` (remote machine) # Deny write(w) and execute(x) of ```authorized_keys``` by the user with the following command in the remote machine sudo chmod 644 /home/vyndour/.ssh/authorized_keys
As an alternative to the above method, you can transfer the public-key file
sftp_rsa to the remote server using SCP
# In our local machine, use SCP to transfer ```sftp_rsa.pub``` file to root directory of remote machine with the following command sudo scp -i <ssh key that gives access to remote machine> <path to public key in user's local machine> <sudo user>@<ip address of remote machine>:/ # create a .ssh directory in the user's directory in the remote machine sudo mkdir /home/vyndour/.ssh # In the remote machine, create a file in ```/home/vyndour/.ssh``` and name it as ```authorized_keys```, and append the key from ```sftp_rsa.pub``` file located in root directory```/```. sudo touch /home/vyndour/authorized_keys sudo cat /sftp_rsa.pub >> /home/vyndour/.ssh/authorized_keys # Deny delete of authorized_keys by the user with the following command in the remote machine sudo chmod 644 /home/vyndour/.ssh/authorized_keys # Don't forget to remove the public key from the root directory sudo rm /sftp_rsa.pub
13. Restart SSH
Let's now restart the ssh server with the following command:
sudo systemctl restart sshd
14. Monitor the logs (Optional for debugging)
In case we need to debug the login through SSH, we can open the
/var/log/auth.log file to live monitor the logs.
sudo tail -f /var/log/auth.log
15. Browse User's directory from the local machine
We can now use software like FileZilla, Cyberduck, or similar to browse the user directory in the remote machine over SFTP with the following typical entries in our local machine:
sftp://vyndour@<remote machine IP adddress>
Port : 22 # Default SSH port
Password: User's password # if
PasswordAuthentication yesin sshd_config file
Private key path: # if
We are done! :)
I hope you enjoyed this post. I would appreciate your feedback/suggestions/comments in the comment section below.
Follow Me :