Linux provides a SFTP service environment for users who do not use SSH

Source: Internet
Author: User
Tags ftp ftp client ssh file transfer protocol port number


SFTP is a secure File Transfer protocol abbreviation for security FTP. You can provide a secure encryption method for transferring files. SFTP and FTP have almost the same syntax and functionality. As part of SSH, SFTP is a secure way to transmit files to the Blogger server. In fact, in the SSH package, there is already a secure file transfer subsystem called SFTP (secure file Transfer Protocol), SFTP itself does not have a separate daemon, it must use the sshd daemon (the port number defaults to 22) To complete the corresponding connection operation, so in a sense, sftp is not like a server program, but more like a client program. SFTP also uses encryption to transmit authentication information and transmitted data, so it is safe to use SFTP. However, because this transmission method uses the encryption/decryption technology, so the transmission efficiency is much lower than the ordinary FTP, if your network security requirements are higher, you can use SFTP instead of FTP.

The difference between ps:ftp and SFTP

FTP is a file transfer protocol. On the website, if you want to share files and people, the most convenient way is to upload files to the FTP server, other people through the FTP client program to download the required files.

FTP for file transfer needs to be done through the port. Generally required ports are:

1. Control link-tcp Port 21. Controller side. Used to send instructions to the server and wait for the server to respond.

2. Data Link---TCP port 20. Data transfer port. Used to establish a data transmission channel. It is mainly used to send a file from the customer to the server, send a file from the server to the customer, send a file or directory list from the server to the customer.

FTP in order to adapt to different network environment, support active connection and passive connection two kinds of modes. Both of these modes are mainly for data link, which has nothing to do with the control link.

FTP Security Risks:

One, FTP server software vulnerabilities.

Second, the clear text password.

Third, the FTP flag.

Four, through the FTP server for port scanning.

V. Data hijacking.

Security Policy for ftp:

First, use more security system and FTP service software.

Second, the use of ciphertext transmission username and password.

Third, change the service software flag.

Iv. enhance the security of the Protocol.

Configuring the SFTP environment for non-SSH users

SFTP is the abbreviation for Secure File Transfer protocol and is a security ftp. You can provide a secure encryption method for transferring files. Almost as much as FTP syntax functions.

Step: 1 Create a group

The code is as follows:

[Root@localhost ~]# Groupadd sftp_users

Step: 2 Assign the subordinate group (sftp_users) to the user

If the user does not exist on the system, use the following command to create (LCTT: This gives the user a shell that cannot be logged in to prevent login via SSH):

The code is as follows:

[Root@localhost ~]# useradd-g sftp_users-s/sbin/nologin Jack

< P>[root@localhost ~]# passwd Jack

For users who already exist, use the following Usermod command to modify:

The code is as follows:

[Root@localhost ~]# usermod–g sftp_users-s/sbin/nologin Jack

Note: If you want to modify the user's default home directory, you can use the '-d ' option in the Useradd and Usermod commands and set the appropriate permissions.

Step: 3 Now Edit the configuration file "/etc/ssh/sshd_config"

The code is as follows:

# Vi/etc/ssh/sshd_config

< p> #comment out of the below line and add a-like below

< p> #Subsystem Sftp/usr/libexec/openssh/sftp-server

< P>subsystem sftp Internal-sftp

< p># add Below lines at the end of file

< P>match Group Sftp_users

< p>x11forwarding No

< p>allowtcpforwarding No

< P>chrootdirectory%h

< P>forcecommand internal-sftp


Match Group sftp_users– This parameter specifies that the following rows will match only the users in the Sftp_users group

Chrootdirectory%h– This parameter to specify the path (default user home directory) to use for the chroot environment after user authentication. For the user Jack, the path is/home/jack.

Forcecommand internal-sftp– This parameter enforces internal SFTP and ignores the commands in any ~/.SSH/RC file.

Reboot SSH Service

The code is as follows:

# Service Sshd Restart

Step: 4 Set permissions:

The code is as follows:

[Root@localhost ~]# chmod 755/home/jack

< P>[root@localhost ~]# Chown Root/home/jack

< P>[root@localhost ~]# Chgrp-r Sftp_users/home/jack

If you want to allow the jack user to upload files, create an upload folder, set the permissions as follows:

The code is as follows:

[Root@localhost jack]# Mkdir/home/jack/upload

< P>[root@localhost jack]# Chown Jack. /home/jack upload/

Step: 5 Now try to access the system and test

Attempt to access the system via SSH

As the following illustration shows, user Jack logs on through SFTP, and because the CHROOT environment cannot switch directories.

Now upload and download the test, as shown in the following figure:

As shown in the picture above, Jack's user's upload and download function works very well.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.