CodeFuture

A step-by-step guide to set up an SFTP file transfer server in Linux

A step-by-step guide to set up an SFTP file transfer server in Linux

Authentication through SSH key or User's password

Rashmiranjan's photo
Rashmiranjan
·

8 min read

In this tutorial, we are going to learn how to set up a remote server for secure file transfer between the user's local machine and remote server over SFTP. SFTP is known as Secure File Transfer Protocol or SSH File Transfer Protocol.

Before we start, please ensure the following:

  1. You have access to a Linux remote machine (this tutorial used Ubuntu server distro 20.xx)
  2. You have login access to a remote machine through SSH
  3. The User access you have is listed under sudo group
  4. The local machine can be of any OS - Mac, Linux, Windows, etc. - on which you can have access to a remote machine through SSH.

Let's first set up a user account typing the following commands in a terminal of the remote machine.

1. Create a user group

sudo groupadd sftpgroup

2. Create user

sudo useradd -m vyndour

3. Assign a password to the user

sudo passwd vyndour

4. Add user to our sftpgroup

sudo usermod -a -G sftpgroup vyndour

6. Make user the owner of it's own directory

sudo chown vyndour /home/vyndour

5. Give read(r),write(w) and execute(x) access of user's directory to only user

sudo chmod 700 /home/vyndour

In case we need to add more users, we can repeat steps 2-6.

Now, let's install the openssh server and set up SFTP settings.

7. First, let's update the existing packages

sudo apt update
sudo apt upgrade

8. Install openssh-sever

sudo apt install openssh-server

10. Open SSHD_config file

sudo nano /etc/ssh/sshd_config

11. Copy the following lines at the end of the _sshd_config_file

# FOR SSH key authentication

PubkeyAuthentication yes
AuthorizedKeysFile    .ssh/authorized_keys

# FOR password authentication

PasswordAuthentication yes

#  SFTP configuration

Match group sftpgroup
ChrootDirectory /home
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
ctrl+s : save the _sshd_config_ file and ctr+x: exit from _sshd_config_ file

If we want SSH key authentication for SFTP file transfer, we need to set PubkeyAuthentication yes and also we need to specify the file name holding SSH public key AuthorizedKeysFile .ssh/authorized_keys. We will create SSH key in step - 12 below.

Similarly, if we want password authentication for SFTP file transfer, we need to set PasswordAuthentication yes. The password is the user's password that we have set earlier in step-3.

12. For SSH public key authetication , follow the following steps to create and install SSH keys

Open a terminal in our local machine, and create a pair of SSH private and public keys by running the following command.

ssh-keygen -f sftp_rsa -t rsa

Once we run the above command, two files will be generated - one private key sftp_rsa and the public key sftp_rsa.pub. Let's Keep the private key securely with read(r) access to only the user in the user's local system.

We can always change the type of key. Let's stick to the default RSA type key in this tutorial.

# user's local machine

sudo chmod 400 <path to the private key in user's local machine>

Then, in our remote PC create a file in /home/vyndour/.ssh and name it as authorized_keys. Copy the content of public key sftp_rsa.pub from local machine to authorized_keys file in a remote machine.

# create a .ssh directory in the user's directory in the remote machine

sudo mkdir /home/vyndour/.ssh

# Open  a new file with the name ```authorized_keys``` in the remote machine

sudo nano /home/vyndour/.ssh/authorized_keys

#Manual task: copy and paste the content manually from ```sftp_rsa.pub``` (local machine) key to the ```authorized_keys``` (remote machine)

# Deny write(w) and execute(x) of ```authorized_keys``` by the user with the following command in the remote machine

sudo chmod 644 /home/vyndour/.ssh/authorized_keys

As an alternative to the above method, you can transfer the public-key file sftp_rsa to the remote server using SCP 

# In our local machine, use SCP to transfer ```sftp_rsa.pub``` file to root directory of remote machine with the following command

sudo scp -i <ssh key that gives access to remote machine> <path to public key in user's local machine> <sudo user>@<ip address of remote machine>:/

# create a .ssh directory in the user's directory in the remote machine

    sudo mkdir /home/vyndour/.ssh

# In the remote machine, create a file in ```/home/vyndour/.ssh```  and name it as ```authorized_keys```, and append the key from ```sftp_rsa.pub``` file located in root directory```/```.

    sudo touch /home/vyndour/authorized_keys
    sudo cat /sftp_rsa.pub >> /home/vyndour/.ssh/authorized_keys

# Deny delete of authorized_keys by the user with the following command in the remote machine

    sudo chmod 644 /home/vyndour/.ssh/authorized_keys

# Don't forget to remove the public key from the root directory

    sudo rm /sftp_rsa.pub

13. Restart SSH

Let's now restart the ssh server with the following command:

sudo systemctl restart sshd

14. Monitor the logs (Optional for debugging)

In case we need to debug the login through SSH, we can open the /var/log/auth.log file to live monitor the logs.

sudo tail -f /var/log/auth.log

15. Browse User's directory from the local machine

We can now use software like FileZilla, Cyberduck, or similar to browse the user directory in the remote machine over SFTP with the following typical entries in our local machine:

  • Host: sftp://vyndour@<remote machine IP adddress>

  • Port : 22 # Default SSH port

  • Password: User's password # if PasswordAuthentication yes in sshd_config file

  • Private key path: # if PubkeyAuthentication yes in sshd_config file

We are done! :)

I hope you enjoyed this post. I would appreciate your feedback/suggestions/comments in the comment section below.

Thanks.

Follow Me :

YouTube CodeFuture , Twitter

#SFTP #Linux #Ubuntu #SSH #File Transfer

LinuxserverSecurityUbuntu