Home » SFTP Server with OpenSSH

SFTP Server with OpenSSH on Ubuntu 22.04 LTS

SFTP (SSH File Transfer Protocol) is a secure file transfer protocol that provides file access, transfer, and management over a reliable data stream. It's built on SSH and provides all the security features of SSH, including encryption and authentication.

Enhanced Security

SFTP uses SSH encryption to protect both commands and data, preventing passwords and sensitive information from being transmitted in clear text.

Single Connection

Unlike FTP, SFTP uses a single connection for both control commands and data transfer, simplifying firewall configuration.

Integrated Features

SFTP includes file management capabilities like permission manipulation, file locking, and more, beyond simple file transfer.

Prerequisites

  • Ubuntu 22.04 LTS server
  • Minimum 1GB RAM (2GB recommended)
  • Sufficient disk space for your file storage needs
  • Root or sudo privileges
  • Static IP address configured
  • Basic knowledge of Linux command line

1 System Preparation

Update your system and set the hostname:

sudo apt update && sudo apt upgrade -y
sudo hostnamectl set-hostname sftp-server
exec bash

Install necessary utilities:

sudo apt install -y wget curl nano ufw

2 Install OpenSSH Server

Check if OpenSSH server is already installed:

sudo systemctl status ssh

If not installed, install OpenSSH server:

sudo apt install -y openssh-server

Enable and start the SSH service:

sudo systemctl enable ssh
sudo systemctl start ssh

3 Configure Firewall

Allow SSH through the firewall:

sudo ufw allow ssh
sudo ufw enable

Verify the firewall status:

sudo ufw status

4 Create SFTP User and Directory Structure

Create a group for SFTP users:

sudo groupadd sftp-users

Create a dedicated SFTP user:

sudo useradd -m -G sftp-users -s /bin/bash sftpuser
sudo passwd sftpuser

Create the SFTP directory structure:

sudo mkdir -p /var/sftp/uploads
sudo chown root:root /var/sftp
sudo chmod 755 /var/sftp
sudo chown sftpuser:sftp-users /var/sftp/uploads

5 Configure SSH for SFTP

Back up the original SSH configuration file:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Add the following configuration at the end of the file:

# SFTP configuration
Match Group sftp-users
    ChrootDirectory /var/sftp
    ForceCommand internal-sftp
    PasswordAuthentication yes
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no
Note: The ChrootDirectory must be owned by root and not writable by any other user or group.

6 Restart SSH Service

Restart the SSH service to apply changes:

sudo systemctl restart ssh

Check the status to ensure it's running properly:

sudo systemctl status ssh

7 Test SFTP Connection

Test the SFTP connection from the local machine:

sftp sftpuser@localhost

Test file upload:

echo "Test file content" > testfile.txt
sftp sftpuser@localhost
put testfile.txt uploads/
exit

Verify the file was uploaded:

sudo ls -la /var/sftp/uploads/

8 Configure Public Key Authentication

Generate SSH key pair on client machine (if needed):

ssh-keygen -t rsa -b 4096 -C "sftpuser@example.com"

Copy the public key to the SFTP server:

ssh-copy-id sftpuser@your_server_ip

Alternatively, manually add the public key:

sudo mkdir -p /home/sftpuser/.ssh
sudo nano /home/sftpuser/.ssh/authorized_keys
sudo chown sftpuser:sftpuser /home/sftpuser/.ssh
sudo chown sftpuser:sftpuser /home/sftpuser/.ssh/authorized_keys
sudo chmod 700 /home/sftpuser/.ssh
sudo chmod 600 /home/sftpuser/.ssh/authorized_keys

Test key-based authentication:

sftp -i ~/.ssh/private_key sftpuser@your_server_ip

9 Advanced Configuration

Configure multiple SFTP users with different directories:

sudo useradd -m -G sftp-users -s /bin/bash sftpuser2
sudo passwd sftpuser2
sudo mkdir -p /var/sftp/user2_uploads
sudo chown root:root /var/sftp/user2_uploads
sudo chmod 755 /var/sftp/user2_uploads
sudo mkdir /var/sftp/user2_uploads/uploads
sudo chown sftpuser2:sftp-users /var/sftp/user2_uploads/uploads

Add user-specific configuration to sshd_config:

sudo nano /etc/ssh/sshd_config

Add user-specific directives:

Match User sftpuser2
    ChrootDirectory /var/sftp/user2_uploads
    ForceCommand internal-sftp
    PasswordAuthentication yes
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no

10 Security Hardening

Disable root login and password authentication (optional):

sudo nano /etc/ssh/sshd_config

Change these settings in the main configuration section:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

Change the default SSH port (optional):

Port 2222

Allow only specific users to connect:

AllowUsers sftpuser sftpuser2

Restart SSH after making changes:

sudo systemctl restart ssh

11 Troubleshooting Common Issues

Check SSH service status:

sudo systemctl status ssh
sudo journalctl -u ssh -f

Check SSH logs for connection issues:

sudo tail -f /var/log/auth.log | grep ssh

Test SSH configuration for errors:

sudo sshd -t

Common issues and solutions:

Issue Solution
Connection refused Check firewall settings and SSH service status
Permission denied Verify directory permissions and ownership
Chroot directory ownership issues Ensure chroot directory is owned by root
Authentication failures Check authorized_keys file permissions
Previous: FTP Server Next: LDAP Server
Command copied to clipboard!