Skip to content

Latest commit

 

History

History
145 lines (109 loc) · 3.55 KB

create-sftp-server.md

File metadata and controls

145 lines (109 loc) · 3.55 KB
aliases category classification date date_modified draft id image links local_archive_links pinned print series tags title type
create-sftp-server
self-hosted
public
2020-11-24 01:33:31 -0800
2020-11-24 01:33:31 -0800
false
20201124093331
false
false
sftp
linux
password
Create an SFTP Server
tech-note

At work I've used a couple of options for enabling SFTP. The directory structure I tend to use is as follows.

/srv/
└── <company>
    └── <product>
        └── <env_name>
            ├── inbound
            ├── outbound
            └── .ssh
                └── authorized_keys

This is configured to use Port 2222 for SFTP, and not Port 22. In fact Port 22 is blocked for SFTP access.

Initial SSHD Config Changes

Initially the following gets added to the top of /etc/ssh/sshd_config.

Port 22
Port 2222
AuthorizedKeysFile .ssh/authorized_keys

Additionally you need to comment out this line (typically on line 141).

Subsystem       sftp    /usr/libexec/openssh/sftp-server

SFTP with a Password

This is the configuration I use for password only authentication, with port 2222 allowed, and 22 denied.

# Switch to internal-sftp, as newer:
Subsystem sftp internal-sftp

# Match block:
Match Group sftp LocalPort 2222
    ChrootDirectory /srv/<company>/<product>
    ForceCommand internal-sftp
    AllowTCPForwarding no
    X11Forwarding no
    PasswordAuthentication yes
    AuthenticationMethods password

Match Group sftp LocalPort 22
    DenyGroups sftp

I then set the password for the user I wish to give access to.

sudo passwd sftp_user

SFTP with a Password and Private Key

Whereas this is the configuration for password and private key.

# Switch to internal-sftp, as newer:
Subsystem sftp internal-sftp

# Match block:
Match Group sftp LocalPort 2222
    ChrootDirectory /srv/<company>/<product>
    ForceCommand internal-sftp
    AllowTCPForwarding no
    X11Forwarding no
    PasswordAuthentication yes
    AuthenticationMethods password,publickey

Match Group sftp LocalPort 22
    DenyGroups sftp

Users

You then need to add an SFTP group and user, and give permissions to the directories you are serving via SFTP.

# Add SFTP group and user:
groupadd sftp
useradd <sftp_user> --groups sftp --shell /sbin/nologin --home-dir /srv/<company>/<product>/<sftp_user>

# Set password for sftp user:
echo <sftp_user>:<sftp_user_password> | chpasswd

# SFTP directory permissions:
chown --recursive <sftp_user>:<sftp_user> /srv/<company>/<product>/<sftp_user>
chmod --recursive 755 /srv/<company>/<product>/<sftp_user>/

# Comment out Subsystem sftp /usr/libexec/openssh/sftp-server
sed -i.bak '141s/^/#/' /etc/ssh/sshd_config
sed -i.bak 's/#Port 22/Port 22\nPort 2222/' /etc/ssh/sshd_config

Key Pair

Add the keypair public key you will use to connect to /srv/<company>/<product>/<sftp_username>/.ssh/authorized_keys.

SELinux

If you're running SELinux, you then need to tell it about the SFTP Port, and stop it from blocking read access to the authorized_keys file.

# Tell SELinux about SFTP Port:
sudo semanage port --add --type ssh_port_t --proto tcp 2222

# Stop SELinux from blocking read access to authorized_keys:
semanage fcontext -a -t ssh_home_t '/srv/<company>/<product>/<sftp_server_username>/.ssh/authorized_keys'
restorecon -v '/srv/<company>/<product>/<sftp_server_username>/.ssh/authorized_keys'

Restart SSH

You can then restart the SSH server and test if you can connect.

systemctl restart sshd.service