OpenSSH includes an SFTP server which is enabled by default. This is a secure approach which use a single port and normal Linux user accounts and passwords for authentication. It also supports date/time stamp synchronization since you are actually copying files over an SSH connection unlike FTP.
While a great solution, it may not be ideal for public access, a large user base, or anonymous access. Suffice to say that there are a significant number of security considerations that need to be taken into account when implementing such a solution. For example, do you need a log of file transfers?
Installing OpenSSH on Ubuntu
If you didn't select it when you first installed your Ubuntu server, it's not too late. Simply enter the following command at a shell prompt:
sudo apt-get install openssh-server
Once installed, you can test it by entering the following command:
ssh localhost
Whether you are using ssh or sftp, you may be prompted to accept an authentication key the first time you connect. This is normal. Just accept.
When done, just type exit.
Managing the OpenSSH Service
| Start SSH Server | sudo start ssh |
| Stop SSH Server | sudo stop ssh |
| Status of OpenSSH server | sudo status ssh |
Limiting OpenSSH to SFTP Server Access
You can prevent users from having shell access and running commands by setting their home directory to /dev/null and setting their shell to /usr/bin/false. See Chrooted SFTP access with OpenSSH and limiting access to only the required areas of the server for details. Also see SFTP only chroot with nullfs or bind mounts
Obscuring Your OpenSSH/SFTP Server
While it doesn't make it any safer, making a well known open port a little harder to find by changing the default port 22 helps. It's like the difference between having a big neon sign pointing to the opening and having the opening blend into the background. It's still there but most won't see it unless they are looking for it.
SFTP Clients
Not all FTP clients support SFTP however the following are the two that I usually recommend: Filezilla and WinSCP
Setting up User Accounts
It is recommended to create individual user accounts for the following reasons:
- Configurability: You can limit individual user access to the areas that they need.
- Trackability: When something goes wrong, you have a better chance of figuring out where and why it happened if you have a specific user account rather than a communal account.
- Manageability: When someone leaves the organization or you no longer have dealings with a business partner, you can simply delete their account.
System Wide Login Script
You can just drop a custom script (ending in .sh) in the /etc/profile.d directory and it will be called automatically when users connect over ssh or sftpd.
Configuring the User Home Directory
In the root of the users home directory, creating symlinks to different parts of the server outside of the users home directory won't work as symlinks are relative to the root directory, which in this case is the user's chrooted home directory (Pure-FTPd virtualizes this for you). Instead, you must use mount with --bind.
You first need to create a directory and them mount a directory somewhere else on the server to that directory. For example:
sudo mkdir /home/sftpuser/www
sudo mount --bind /var/www /home/sftpuser/www
This won't work if the /home/sftpuser/www directory existed previously.
Made a mistake? You can unmount a drive using the following command:
sudo umount /home/sftpuser/www
Since typical users don't have the required root access to execute these commands, and they would be lost as soon as you reboot the server. However you can make these mounts permanent by adding them to the /etc/fstab file using the following command:
sudo nano /etc/fstab
Add the following line to the end of the file and save:
/var/www /home/sftpuser/www none bind
The next time you reboot your server, the directories will automatically be mounted.
March 9, 2015 at 12:15 PM
first you say sudo mkdir /home/sftpuser/www
then you say it wont work if home/sftpuser/www already exist
March 10, 2015 at 11:13 PM
Thanks for your comment. I can see how you might be confused. What I meant to say is “This won’t work if the /home/sftpuser/www directory existed previously”. It has to be a new directory but am existing www directory that is empty would probably work too.
November 10, 2015 at 3:28 PM
Just like to point out I used
sudo apt-get install openssh-server
in order to install correctly.
sudo apt-get install openssh
gave an error saying ‘Unable to locate package openssh’
July 17, 2016 at 6:55 PM
I encountered the same error as did Eric Chang. And, following futher Googling, came to the same conclusion. It should be:
> sudo apt-get install openssh-server
August 1, 2016 at 11:34 AM
Thank you Steve and Eric. Much appreciated. I’ve made the correction. The reason this article is still in draft is because some of the documentation was created afterwards and I didn’t had a chance to test the instructions. Thanks again for taking the time to send me your suggestions.
July 17, 2016 at 7:11 PM
Since this is a fledgling article, you might want to fix the following typo, before this goes “public”. It’s at the end of the fist paragraph under the “Configuring the User Home Directory” heading:
> “Instead, you must you mount –bind it.”
should probably be:
> “Instead, you must use mount [to] –bind it.”
August 1, 2016 at 11:37 AM
Thanks again for the feedback Steve. Reading over my original text, I can see how it wasn’t very clear (ok, it didn’t make sense 🙂 ). I appreciate your suggestion. I think what I meant to say was “Instead, you must use mount with –bind.”
August 12, 2016 at 3:12 PM
A followed all the steps in the following tutorial, and it works fine:
http://vocemcse.blogspot.com.br/2016/08/public-key-authetication-sftp-ubuntu.html