Setting up OpenSSH / SFTP on Ubuntu

OpenSSH includes an SFTP server which is enabled by default. This is a secure approach which use a single port and normal Linux user accounts and passwords for authentication. It also supports date/time stamp synchronization since you are actually copying files over an SSH connection unlike FTP.

While a great solution, it may not be ideal for public access, a large user base, or anonymous access. Suffice to say that there are a significant number of security considerations that need to be taken into account when implementing such a solution. For example, do you need a log of file transfers?

Installing OpenSSH on Ubuntu

If you didn't select it when you first installed your Ubuntu server, it's not too late. Simply enter the following command at a shell prompt:

sudo apt-get install openssh-server

Once installed, you can test it by entering the following command:

ssh localhost

Whether you are using ssh or sftp, you may be prompted to accept an authentication key the first time you connect. This is normal. Just accept.

When done, just type exit.

Managing the OpenSSH Service

Start SSH Serversudo start ssh
Stop SSH Serversudo stop ssh
Status of OpenSSH serversudo status ssh

Limiting OpenSSH to SFTP Server Access

You can prevent users from having shell access and running commands by setting their home directory to /dev/null and setting their shell to /usr/bin/false. See Chrooted SFTP access with OpenSSH and limiting access to only the required areas of the server for details. Also see SFTP only chroot with nullfs or bind mounts

Obscuring Your OpenSSH/SFTP Server

While it doesn't make it any safer, making a well known open port a little harder to find by changing the default port 22 helps. It's like the difference between having a big neon sign pointing to the opening and having the opening blend into the background. It's still there but most won't see it unless they are looking for it.

SFTP Clients

Not all FTP clients support SFTP however the following are the two that I usually recommend: Filezilla and WinSCP

Setting up User Accounts

It is recommended to create individual user accounts for the following reasons:

  • Configurability: You can limit individual user access to the areas that they need.
  • Trackability: When something goes wrong, you have a better chance of figuring out where and why it happened if you have a specific user account rather than a communal account.
  • Manageability: When someone leaves the organization or you no longer have dealings with a business partner, you can simply delete their account.

System Wide Login Script

You can just drop a custom script (ending in .sh) in the /etc/profile.d directory and it will be called automatically when users connect over ssh or sftpd.

Configuring the User Home Directory

In the root of the users home directory, creating symlinks to different parts of the server outside of the users home directory won't work as symlinks are relative to the root directory, which in this case is the user's chrooted home directory (Pure-FTPd virtualizes this for you). Instead, you must use mount with --bind.

You first need to create a directory and them mount a directory somewhere else on the server to that directory. For example:

sudo mkdir /home/sftpuser/www

sudo mount --bind /var/www /home/sftpuser/www

This won't work if the /home/sftpuser/www directory existed previously.

Made a mistake? You can unmount a drive using the following command:

sudo umount /home/sftpuser/www

Since typical users don't have the required root access to execute these commands, and they would be lost as soon as you reboot the server. However you can make these mounts permanent by adding them to the /etc/fstab file using the following command:

sudo nano /etc/fstab

Add the following line to the end of the file and save:

/var/www /home/sftpuser/www none bind

 The next time you reboot your server, the directories will automatically be mounted.


Comments

Setting up OpenSSH / SFTP on Ubuntu — 8 Comments

    • Thanks for your comment. I can see how you might be confused. What I meant to say is “This won’t work if the /home/sftpuser/www directory existed previously”. It has to be a new directory but am existing www directory that is empty would probably work too.

  1. Just like to point out I used

    sudo apt-get install openssh-server

    in order to install correctly.

    sudo apt-get install openssh

    gave an error saying ‘Unable to locate package openssh’

  2. I encountered the same error as did Eric Chang. And, following futher Googling, came to the same conclusion. It should be:

    > sudo apt-get install openssh-server

    • Thank you Steve and Eric. Much appreciated. I’ve made the correction. The reason this article is still in draft is because some of the documentation was created afterwards and I didn’t had a chance to test the instructions. Thanks again for taking the time to send me your suggestions.

  3. Since this is a fledgling article, you might want to fix the following typo, before this goes “public”. It’s at the end of the fist paragraph under the “Configuring the User Home Directory” heading:

    > “Instead, you must you mount –bind it.”

    should probably be:

    > “Instead, you must use mount [to] –bind it.”

    • Thanks again for the feedback Steve. Reading over my original text, I can see how it wasn’t very clear (ok, it didn’t make sense 🙂 ). I appreciate your suggestion. I think what I meant to say was “Instead, you must use mount with –bind.”

Leave a Reply

Your email address will not be published. Required fields are marked *