I recently had a request to setup SFTP for a customer so they could manage a set of files in their environment through an FTP GUI. Being an avid user of command line tools like SCP I haven’t needed to set up FTP or SFTP in many years. So I dusted off some guides and fired it up.
While setting everything up it seems as though many guides were missing a critical step in some form or fashion. So I have taken it upon myself to write a guide to detail my entire process from start to finish.
The Guide
Step 1 – Create a New User
Personally once I am logged into my server I switch to the root user:
$ sudo -s
Let us add a new user
$ adduser [your username]
You will be prompted to add a password. For testing purposes I usually make the password something simple to start and go back and change it to be something secure later on. All other user information is optional so you can simply hit ENTER
to move through it if you would like.
Step 2 – Creating a Directory to Put Files In
We do not want our new SFTP user to have access to our whole file system as this would be a huge security flaw. So in this guide we are going to restrict the user down to a single directory to add and remove files from.
This is where I found my first hang up. When using SFTP we have to have the directory that the user is going to be forced into owned by root. All directories above that must also be owned by root without any group write permissions. Failing to create this structure properly will result in you not being able to login.
Example Structure:
/var/www/html/
The directory HTML is where our website resides so this is the directory we want to have our SFTP user to be able to write to.
To accomplish this we will actually force our user to the directory /var/www/
this way the WWW and VAR directories can be owned by root while the HTML directory can be owned by www-data which we will then add our new user to.
To accomplish this:
$ chmod 755 /var/www
This changes our permissions to only allow writing by the user who owns the directory while read and execute to everyone else.
$ chown root:root /var/www
This changes our directory to be owned by the user root and group root which satisfies our directory structure requirements.
$ chown -R www-data:www-data /var/www/html/
This gives ownership to the user www-data and group www-data which is the standard Apache user.
Step 3 – Locking Down our User
$ nano /etc/ssh/sshd_config
Note: You can use whatever text editor you like here to edit the file.
Find the section Subsystem sftp /var/lib/openssh/sftp-server
Comment it out so it looks like #Subsystem sftp /var/lib/openssh/sftp-server
Add the line Subsystem sftp internal-sftp
right below it.
Add the following lines to the very bottom of the file:
Match User [Your New Username] ChrootDirectory /var/www
X11Forwarding no
AllowTcpForwarding no
AllowAgentForwarding no
ForceCommand internal-sftp
PasswordAuthentication yes
Save the file and exit.
Match User: Tells the SSH server to only apply the following settings to the one user
ChrootDirectory: This tells the server what directory our user is allowed to ONLY work within this directory
X11Forwading, AllowTCPForwarding, AllowAgentForwarding: Prohibits the user from port forwarding, tunneling and X11 forwarding fot the user. These are all security things.
ForceCommand internal-sftp: Forces the SSH server to the run the SFTP program upon access which disables shell access.
PasswordAuthentication: Allows for the user to login with a typed password. You can remove this is you would rather use a security key which is by far safer.
Restart the SSH Server
$ /etc/init.d/ssh restart
With the SSH server restarted your SFTP user should be able to login and view files. It won’t be able to modify any files yet as we did not give the user access to do so.
$ usermod -a -G www-data [Your User]
This adds the user that you specify to the www-data group. Completing this will allow your user to be able to modify files within the directory /var/www/html
Errors
I've created a user 'www' and added it to the 'www-data' group. I've set the home directory of 'www' to /var/www/ also. I would like to use 'www' to transfer files in and out of my web server by FTP
The problem is when I run the command:
sudo chown -R www-data:www-data /var/www/
..I don't have permission to write files via FTP
However when I run:
sudo chown -R www:www /var/www
..I have full FTP access but get a 'Forbidden' message in my browser.
Any advice on how to get full FTP access including all subfolders would be really appreciated.
That means that you already have a www-data user which Apache uses that should have the necessary permissions in /var/www
.
The simplest solution would be to use that same user, but you could also assign the www-data
group to your new user and make sure the /var/www
directory structure allows the group to write to it:
chown -R www-data:www-data /var/www
chmod -R ug+rw /var/www
Conclusion
There are so many other complex SSH server configurations. This setup allows for a very specific use case which many people have implemented. While SFTP is secure allowing access to any remote server allows for the possibility of attack. This guide should only be used if you understand the security risks involved with allowing SFTP.
This guide showed you how to create a new user and limit that user to SFTP access only. We also limited that user to our website directory and prevented it from access any other critical system files.
If this guide has been helpful for you and your team please share it with others!
Janeth Kent
Licenciada en Bellas Artes y programadora por pasión. Cuando tengo un rato retoco fotos, edito vídeos y diseño cosas. El resto del tiempo escribo en MA-NO WEB DESIGN AND DEVELOPMENT.
Related Posts
How to generate an SSH key and add it to GitHub
In this short tutorial we are going to see how you can generate a new SSH key and add it to GitHub, so you can access your private repositories and…
How To Use Varnish As A Highly Available Load Balancer On Ubuntu 20.04 With SSL
Load balancing with high availability can be tough to set up. Fortunately, Varnish HTTP Cache server provides a dead simple highly available load balancer that will also work as a…
Linux For Dummies: Permissions
In the previous articles I made a short introduction to the Unix world and in the following article I have dealt with the basic commands for the file system management. Today we are…
Linux for Dummies: Ubuntu Terminal
I introduced in the previous article, available here, the basic concepts concerning the Linux world. Today we are going to have a look to some basic operations that we can perform…
The Best RSS Readers for Ubuntu
Even if most of the tech experts actively claim that RSS (Rich Site Summary) is dead especially after Google Reader was discontinued 5 years ago but it isn’t yet as…
How to install Letsencrypt Certificates with Certbot in Ubuntu
In this article we will explain how to install, manage and configure the SSL Security certificate, Let's Encypt in NGINX server used as proxy. This certificate is free but does…
How to Set up a Fully Functional Mail Server on Ubuntu 16.04 with iRedMail
Setting up your own mail server from scratch on Linux is complex and tedious, until you meet iRedMail. This tutorial is going to show you how you can easily and…
GIMP 2.10 released: Features 32-bit support, new UI and A Ton Of Improvements
It's been over a half-decade since the GIMP 2.8 stable debut and today marks the long-awaited release of GIMP 2.10, its first major update in six years. And among other…
Install Java in Ubuntu 16.04
Java and the JVM (Java's virtual machine) are widely used and required for many kinds of software. This article will guide you through the process of installing and managing different…
ArangoDB, install and configure the popular Database in ubuntu 16.04
Introduction to ArangoDb, open source, NoSQL, multi-model database BigData seems to be getting stronger every day and more and more NoSQL databases are coming out to the market, all trying to position…
How to Choose a Laptop for Web Design and Development
Efficiency is important at work, no matter the type of job you do. The better the tools that you use, the more productive you are. So if you’re a web…
The Best Lightweight Linux Distributions For Older PC's
What do you do with your old computers? The one which once had good hardware configuration but now those are considered outdated. Why not revive your old computer with Linux?…