Configure Linux SFTP and Configure User Access

Previously, my server was Windows Server 2003. Due to the increase in traffic during this time, I switched to Linux wit. I saw vsftpd recommended on the Internet when setting up FTP, but I do n’t recommend this guy. Below.

I recommend using SFTP, which comes with SSH. SFTP is the abbreviation of Secure File Transfer Protocol, a secure file transfer protocol. SFTP uses encryption to transmit authentication information and data, so using SFTP is very secure. SFTP to FTP can be understood as Https to Http. Because this transmission method uses encryption / decryption technology, the transmission efficiency is much lower than ordinary FTP. If you require higher network security, you can use SFTP Instead of FTP.

** The final effect of this article: ** Establish the sftp-users user group under Linux, create multiple users in this group, prohibit all users in this group from ssh remote login to the server, but allow all users in this group to log in to sftp and only Access files in your own directory and subdirectories.

This article uses the admin user as an example. The admins that appear below refer to the user or the user directory.

Install ssh and openssh-sftp-server
In fact, Linux distributions are basically installed with OpenSSH, but we still confirm whether to install,
Generally we need to install openssh-server and openssh-sftp-server, so we check if SSH is installed.

• Ubuntu checks if OpenSSH is installed

dpkg --get-selections | grep openssh

• CentOS checks if OpenSSH is installed

# Installed in yum mode:
yum list installed openssh

# Installed as an rpm package:
rpm -qa | grep openssh

# Installed in deb package:
dpkg -l | grep openssh

If all three packages are installed, then your command line should be as follows:

openssh-server              installed
openssh-sftp-server         installed
...

Which does not print is not installed, just install it.

• For Ubuntu installation, execute the following commands in order, just write the name of the package that is not installed after install

sudo apt-get update
sudo apt-get install openssh-client openssh-server openssh-sftp-server

• CentOS installation, just write the name of the package that is not installed after install

sudo yum install openssh-client openssh-server openssh-sftp-server

If it is installed, we need to ensure that the OpenSSH version is not lower than 4.8, because we want to use ChrootDirectory to configure user access directories, so check the SSH version, and execute the command ssh -V to print out the following version information:

OpenSSH_6.6.1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f...

If the version of SSH is lower than 4.8, you need to upgrade.

• Upgrade SSH on Ubuntu

sudo apt-get update
sudo apt-get install openssh-server

• CentOS upgrade SSH

sudo yum update -y openssh-server

Create user groups and users

We want to establish a user group dedicated to managing sftp users, which is convenient for us to manage permissions.

1.Create an sftp user group named sftp-users

sudo groupadd sftp-users

2. Create several users in this group who need to log in to sftp

Create a new user named admin:

sudo useradd -g sftp-users -m admin

Change the password of admin:

passwd admin

Then enter the password you want to set for the user twice in a row.

3. If the user already exists but is not in the sftp-users group, you can move the user to the group

usermod –g sftp_users admin

Configure ssh and permissions
1.Open the / etc / ssh / sshd_config file

2. Modify the value of X11Forwarding to no. The original may be: X11Forwarding yes, now it is changed to X11Forwarding no. If X11Forwarding does not exist, add the above code at the end of the file.
Modify the value of AllowTcpForwarding to no. The original may be AllowTcpForwarding yes. Now modify it to AllowTcpForwarding no. If AllowTcpForwarding does not exist, add the above code at the end of the file.

3.Modify Subsystem sftp to internal-sftp

Subsystem sftp /usr/libexec/openssh/sftp-server
# or
Subsystem sftp /usr/lib/openssh/sftp-server

Now amended to:

Subsystem sftp internal-sftp

4.Add content at the end of the file

Match Group sftp-users
    ChrootDirectory %h
    ForceCommand internal-sftp

• Match Group sftp-users line specifies that the following sub-line configuration matches the sftp-users user group. Multiple user groups are separated by commas.
• ChrootDirectory% h This line specifies the path for the chroot environment after the user group specified in the Match Group line is authenticated, which is the default user directory, such as / home / admin; you can also write an explicit path, such as / data / www.
• ForceCommand internal-sftp This line forces internal sftp and ignores any commands in the ~ / .ssh / rc file.

Pay special attention here, because ChrootDirectory% h mode, we need to set the user directory permissions for all users in sftp-users to root, otherwise users in the sftp-users group cannot log in with sftp.

Modify the user directory permissions for the sftp-users user group

That said, because ChrootDirectory% h is used, now let's modify the permissions.

1. Modify permissions for the root user

chown root /home/admin

2. Modify the permissions to read, write and execute as root, and read by other users

chmod 755 /home/admin

3. Restart ssh and log in to sftp

sudo service ssh restart

You can now log in using sftp, but we found that we cannot upload files, because the default is the user directory, such as / home / admin, but the directory is owned by the root user, so we need to modify the permissions.

Note: The command for centos7 to restart ssh is sudo systemctl restart sshd.service. In addition, you can set ssh to boot and start. The command is sudo systemctl enable sshd.service.
4. Create a subdirectory under the user directory so that users in sftp-users can read and write files

We now create a new upload folder in the / home / admin directory:

cd /home/admin/
mkdir upload

5. Authorize upload folder to read and write

Make subfolder upload belong to admin

chown admin /home/admin/upload

Let the subfolder upload be read and written by the admin

chmod 755 /home/admin/upload

Restart ssh and log in to sftp

Now that everything is configured, if you did not restart ssh in the third step above, you can now log in after restarting.

sudo service ssh restart

Centos7.x system If the above command does not exist, execute:

sudo systemctl restart sshd

WinScp is recommended for Windows login sftp, Linux can be used for commands, and Yummy FTP is recommended for Mac.