SFTP or SSH File Transfer Protocol is a method for securely transferring data between two computers and more. It’s FTP that runs on top of SSH protocol and takes advantage of its security and fully supports its authentication.
Nowadays, it’s recommended to use SFTP instead of legacy old FTP or FTP/S protocol. SFTP is secure by default because that is how SSH works. From a security standpoint, SFTP also protects you against password sniffing and man-in-the-middle attack (MiTM).
Just like SSH, SFTP also protects your data integrity using the encryption and cryptographic hash function. Also, it supports multiple secure authentication methods, including password and key-based authentication. Also, it reduces server open port to the outside network, because it’s run on the same port as SSH protocol.
In this guide, you will learn how to set up SFTP Server on a Linux system. Also, you’ll learn the basic command of the sftp client.
Below is the current environment for the implementation:
- A Linux Server – you can use Debian, Ubuntu, CentOS, Fedora, Rocky, or any other Linux distribution.
- Make sure OpenSSH packages are available on your Linux system.
- SFTP client – sftp command-line or any GUI client as you preferred.
Verify OpenSSH Packages
To set up an SFTP server, you must have OpenSSH packages installed on your Linux system. Almost all Linux Distribution server has the OpenSSH packages installed by default. But, in case you don’t have the OpenSSH package on your system, you can install it from the official repository.
1. To make sure that OpenSSH packages are installed on your Linux system, use the following command.
For Debian or Ubuntu servers, you can use the dpkg command below.
dpkg -l | grep ssh
Below is the output from our Debian system.
ii libssh2-1:amd64 1.9.0-2 amd64 SSH2 client-side library ii openssh-client 1:8.4p1-5 amd64 secure shell (SSH) client, for secure access to remote machines ii openssh-server 1:8.4p1-5 amd64 secure shell (SSH) server, for secure access from remote machines ii openssh-sftp-server 1:8.4p1-5 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines
The first column ‘ii‘ means the package is installed. The package ‘openssh-sftp-server‘ is installed on the Debian/Ubuntu system.
For RHEL/CentOS/Fedora/Rocky Linux/AlmaLinux users, you can use the rpm command as below.
rpm -qa | grep ssh
Create Group and User
At this step, you will be creating a new group and user for the SFTP server. Users within this group will be allowed to access the SFTP server. And for security reasons, SFTP users cannot access the SSH service. SFTP users only access the SFTP server.
1. Execute the following command to create a new group ‘sftpgroup‘.
sudo groupadd sftpgroup
2. Create a new user ‘sftpuser‘ using the following command.
sudo useradd -G sftpgroup -d /srv/sftpuser -s /sbin/nologin sftpuser
- -G : automatically add the user to the ‘sftpgroup‘.
- -d : specify the home directory for the new user.
- -s : set the default for the new user to ‘/sbin/nologin‘, which means the user cannot access the SSH Server.
3. Next, create the password for user ‘sftpuser‘ using the command below.
Type your strong password and repeat, then press ‘Enter‘ to confirm.
To add more users, repeat stages number 2 and 3, and most importantly, all SFTP users must be in the group ‘sftpgroup‘ with no shell access through SSH.
Setup Chroot Jail Directory
After creating a new group and user, you must create and configure the chroot directory for SFTP users.
1. For the user ‘sftpuser’, the new home directory will be at the ‘/srv/sftpuser’. Execute the command below to create it.
mkdir -p /srv/sftpuser
2. To set up chroot for user ‘sftpuser‘, you must change the ownership of the directory to the user root, but remain the group to read and execute without write access.
Change the ownership of the directory to user ‘root’ using the following command.
sudo chown root /srv/sftpuser
Give the group permission to read and execute, but not to write.
sudo chmod g+rx /srv/sftpuser
3. Next, create a new ‘data’ directory inside the ‘/srv/sftpuser‘ directory and change the ownership of that ‘data‘ directory to the user ‘sftpuser‘.
mkdir -p /srv/sftpuser/data chown sftpuser:sftpuser /srv/sftpuser/data
So far, below details configuration for the SFTP user directory.
- The directory ‘/srv/sftuser’ is the default home directory.
- The user ‘sftpuser‘ cannot write to the directory ‘/srv/sftpuser‘, but can read inside that directory.
- The user ‘sftpuser‘ can upload files to the SFTP server at the directory ‘/srv/sftpuser/data‘.
Enable SFTP on SSH Server
To enable the SFTP server on the OpenSSH, you must edit the SSH configuration ‘/etc/ssh/sshd_config’.
1. Edit the ssh configuration ‘/etc/ssh/sshd_config‘ using nano or vim.
sudo nano /etc/ssh/sshd_config
2. Comment the following configuration to disable the standalone ‘sftp-server‘ feature.
#Subsystem sftp /usr/lib/openssh/sftp-server
3. Paste the following configuration to the bottom of the line.
Subsystem sftp internal-sftp Match Group sftpgroup ChrootDirectory %h X11Forwarding no AllowTCPForwarding no ForceCommand internal-sftp
Save the configuration and exit.
- Instead of using the sub-process ‘sftp-server‘, we’re using the ‘internal-sftp‘.
- The SFTP server enabled for group ‘sftpgroup‘.
4. To apply a new configuration, restart the ssh service using the command below.
sudo systemctl restart sshd
The SFTP server is ready and accessible, and it’s running on the same port as the SSH service.
Access the SFTP Server
On the client-side, we will use the sftp command line, which is installed by default on most Linux Distributions. But, you can also be using another command-line client or GUI FTP client such as FileZilla, Cyberduck, etc.
1. To connect to the SFTP server, execute the sftp command as below.
sftp [email protected]
If your SFTP and/or SSH server running on the custom port, you can use the sftp command as below.
sftp -P PORT [email protected]
Type the password for the ‘sftpuser‘.
2. Once you are connected to the SFTP server, execute the following command.
Show current path working directory and list all available files and directories.
3. Upload a local file to the SFTP server on the directory ‘/‘, which will result as ‘permission denied‘, because it’s the chroot directory.
put /path/to/file/on/local /
4. Upload a local file to the directory ‘/data/‘ on the SFTP server. If your configuration is correct, your file will be uploaded to the ‘/data/‘ directory.
put /path/to/file1/on/local1 /data/ put /path/to/file2/on/local /data/
5. Now check available files on the ‘/data‘ directory using the following command.
And you will see your file uploaded to the SFTP server.
Congratulations! You’ve successfully configured the SFTP Server on the Linux system. This type of configuration can be applied on most Linux systems with OpenSSH installed on top of it. Also, you’ve learned how to set up the chroot directory for SFTP users and learned the basic sftp client command.