OpenSSH includes an SFTP server which is enabled by default. This is a secure approach which use a single port and normal Linux user accounts and passwords for authentication. It also supports date/time stamp synchronization since you are actually copying files over an SSH connection unlike FTP.

While a great solution, it may not be ideal for public access, a large user base, or anonymous access. Suffice to say that there are a significant number of security considerations that need to be taken into account when implementing such a solution. For example, do you need a log of file transfers?

Installing OpenSSH on Ubuntu

If you didn't select it when you first installed your Ubuntu server, it's not too late. Simply enter the following command at a shell prompt:

sudo apt-get install openssh-server

Once installed, you can test it by entering the following command:

ssh localhost

Whether you are using ssh or sftp, you may be prompted to accept an authentication key the first time you connect. This is normal. Just accept.

When done, just type exit.

Managing the OpenSSH Service

Start SSH Serversudo start ssh
Stop SSH Serversudo stop ssh
Status of OpenSSH serversudo status ssh

Limiting OpenSSH to SFTP Server Access

You can prevent users from having shell access and running commands by setting their home directory to /dev/null and setting their shell to /usr/bin/false. See Chrooted SFTP access with OpenSSH and limiting access to only the required areas of the server for details. Also see SFTP only chroot with nullfs or bind mounts

Obscuring Your OpenSSH/SFTP Server

While it doesn't make it any safer, making a well known open port a little harder to find by changing the default port 22 helps. It's like the difference between having a big neon sign pointing to the opening and having the opening blend into the background. It's still there but most won't see it unless they are looking for it.

SFTP Clients

Not all FTP clients support SFTP however the following are the two that I usually recommend: Filezilla and WinSCP

Setting up User Accounts

It is recommended to create individual user accounts for the following reasons:

  • Configurability: You can limit individual user access to the areas that they need.
  • Trackability: When something goes wrong, you have a better chance of figuring out where and why it happened if you have a specific user account rather than a communal account.
  • Manageability: When someone leaves the organization or you no longer have dealings with a business partner, you can simply delete their account.

System Wide Login Script

You can just drop a custom script (ending in .sh) in the /etc/profile.d directory and it will be called automatically when users connect over ssh or sftpd.

Configuring the User Home Directory

In the root of the users home directory, creating symlinks to different parts of the server outside of the users home directory won't work as symlinks are relative to the root directory, which in this case is the user's chrooted home directory (Pure-FTPd virtualizes this for you). Instead, you must use mount with --bind.

You first need to create a directory and them mount a directory somewhere else on the server to that directory. For example:

sudo mkdir /home/sftpuser/www

sudo mount --bind /var/www /home/sftpuser/www

This won't work if the /home/sftpuser/www directory existed previously.

Made a mistake? You can unmount a drive using the following command:

sudo umount /home/sftpuser/www

Since typical users don't have the required root access to execute these commands, and they would be lost as soon as you reboot the server. However you can make these mounts permanent by adding them to the /etc/fstab file using the following command:

sudo nano /etc/fstab

Add the following line to the end of the file and save:

/var/www /home/sftpuser/www none bind

 The next time you reboot your server, the directories will automatically be mounted.