Monday, May 7, 2012

Ubuntu - Setup a SFTP Server



This procedure will setup a SFTP server, thats FTP over SSH on Ubuntu Server. In this instance the FTP server will be for a group of people accessing the same FTP share.
This procedure has been tested against Ubuntu 10.04 LTS
First we need to install the SSH-Server packages on the Ubuntu server assuming they haven't been installed already. On the console type:

sudo apt-get install openssh-server

Next we will create a group which will have shared access to the FTP Server mount point:

sudo groupadd ftpshared

Next we create the FTP folder on the filesystem. As this folder will contain data that may potentially grow to fill the disk it is recommended to set this up on a separate partition. Another important point to note is that SFTP relies on both the root user and root group owner the top level FTP mount. If this is not the case you will get errors when connecting to the FTP server, in my case authentication and connection errors.

sudo mkdir /srv
sudo mkdir /srv/ftp
sudo mkdir /srv/ftp/shared

Next change the ownership on the shared folder so that members of ftpshared can access it.
sudo chown root:ftpshared /srv/ftp/shared
sudo chmod 775 /srv/ftp/shared

Now that the filesystem is setup we will update the SSH daemon configuration, but first, backup the existing configuration.

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

sudo nano /etc/ssh/sshd

Now comment out the line Subsystem sftp /usr/lib/openssh/sftp-server Immediately below that line insert Subsystem sftp internal-sftp
Now add the following lines to the bottom of /etc/ssh/ssh_config

Match group ftpshared
ChrootDirectory /srv/ftp/shared
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp

To make the config take affect we'll need to restart the SSH daemon:

sudo service ssh restart

Finally we create the user accounts on the Ubuntu server and give them access to the FTP server:

sudo useradd [user_name] -d /srv/ftp/shared -s /bin/false
sudo adduser [user_name] ftpshared
sudo passwd [user_name]

As a final step, open up your FTP client of choice and test the FTP logon process. Also confirm that the user cannot navigate outside of the /srv/ftp/shared area.

2 comments:

  1. I tried to do this, on an Ubuntu in virtualbox with bridged adapter, and connect from windows7, but I keep getting permission denied when attempting to connect. Any good ideas what might be wrong?

    ReplyDelete
  2. To chroot the FTP folder, the rights must be changed, switch the following line:
    sudo chmod 775 /srv/ftp/shared
    with:
    sudo chmod 750 /srv/ftp/shared

    Then to be able to write into the FTP folder, you must create another folder inside /srv/ftp/shared, with full rights for the ftp user:
    sudo mkdir /srv/ftp/shared/writableFolder
    sudo chown [USERNAME]:ftpshared /srv/ftp/shared/writableFolder
    sudo chmod 700 /srv/ftp/shared/writableFolder

    Let me know if it works!

    ReplyDelete