1. Introduction
In a Linux environment, it’s common to share files or important work documents among team members, partners, or colleagues. However, since these files can be sensitive, we often choose to transfer them over secure networks like Secure File Transfer Protocol (SFTP).
This protocol uses the Secure Shell (SSH) protocol to ensure data security. Further, to use the sftp tool, a user has to be created on the receiving end.
In this article, we’ll learn how to create an sftp user, configure the appropriate permissions, and ensure secure file transfer operations in our Linux environment.
2. What is SFTP*?*
Basically, SFTP is a protocol that provides a reliable and secure channel for us to manage and share files. Just like SSH, the protocol runs on port 22, encrypting data that moves from the client to a server and vice versa.
Further, with SFTP*,* we can perform intricate functions on files we share. This includes editing, downloading, and renaming documents on any Linux distribution without caring about compatibility.
However, for SFTP to function, we need to set up a server that can accept connections from users authenticated through passwords, public keys, etc.
3. Setting Up a Server
Creating an stfp user requires having a server that allows SFTP access in our environment. *To configure this server, we need a remote server management tool like openssh**.* The openssh tool can work in most Linux distributions, but this example applies to Debian-based operating systems like Ubuntu.
Firstly, let’s run the apt update command to retrieve the latest packages and versions and ensure compatibility:
$ sudo apt update
Then, we install the openssh server with apt:
$ sudo apt install openssh-server
Once the installation is complete, we start the ssh service:
$ sudo systemctl start ssh
Next, we enable the ssh service:
$ sudo systemctl enable ssh
Synchronizing state of ssh.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable ssh
Created symlink /etc/systemd/system/sshd.service → /usr/lib/systemd/system/ssh.service.
Created symlink /etc/systemd/system/multi-user.target.wants/ssh.service → /usr/lib/systemd/system/ssh.service.
This group of commands ensures that the openssh service is installed in our system and automatically runs whenever we boot it.
4. Creating an sftp User
The first thing we need to do in the process of adding our user is to create an sftp group. An sftp group enables us to manage multiple users seamlessly.
In situations where we need to create permissions and access to resources, with all users in a group, we can do this collectively, which simplifies user management.
For example, let’s see how to create a sftp group:
$ sudo groupadd sftpusers
Next, let’s create and add our user to this group:
$ sudo useradd -m -g sftpusers -s /sbin/nologin Amara
Now, let’s learn what each of these switches mean:
- sudo: to execute command as a super user. We need this command in most aspects of this operation
- useradd: command for creating a new user
- -m: creates a home directory for the sftp user
- -g: adds the sftp user to a group known as sftpusers
- -s /sbin/nologin: sets the user to only login through sftp
- Amara: the new user created
Next, let’s now create a password for our new user:
$ sudo passwd Amara
From this example, we can see that we’ve successfully created a new sftp user.
4.1. Configuring the Server Access
After creating our user, we need to control and restrict access in the server environment.
This configuration not only ensures security but also enables the server to function efficiently for our file-sharing activities. Further, to effect this procedure, we have to access the server configuration file located in the /etc/ssh directory using text editors like nano.
For example, let’s access the configuration file using nano:
$ sudo nano /etc/ssh/sshd_config
Next, we add the following configuration lines at the bottom of the file to set up a chroot environment for our user:
Match User Amara
ChrootDirectory /home/Amara
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
Let’s understand what these lines do:
- Match User Amara: specifies that the lines of configuration apply only to Amara, the sftp user
- ChrootDirectory /home/Amara: specifies the directory that the Amara will be restricted to
- ForceCommandinternal-sftp: ensures that the type of command the user is able to run in the system pertains only to sftp
- AllowTcpForwardingno: prevents user from using Tcp forwarding. This, in turn, renders any attempt to use ssh to forward ports to another host useless
- X11Forwarding no: prevents forwarding of graphical sessions
After adding these lines, we save our changes and exit the editor.
Next, we apply our changes by restarting the server:
$ sudo systemctl restart ssh
Ultimately, by following these steps, we’ve adequately configured our server to grant necessary access to our user and run efficiently during sftp operations.
4.2. Setting Up Directory Permissions
By default, the new user and its group are set as owners of the user’s home directory. However, this can lead to security issues like jailbreaking, which grants them access to other directories they were formally restricted.
To fix this, we can change the ownership and permissions associated with this directory and create a subdirectory for the new user to freely use.
For example, let’s change the ownership of our user’s home directory:
$ sudo chown root:root /home/Amara
Basically, changing ownership to root:root means that root is now the owner and group owner of the directory. Next, we change the permissions associated with the directory:
$ sudo chmod 755 /home/Amara
755 is a symbolic representation of file permission in Linux. Let’s learn what it means:
- 7: means that the owner of the directory can read, write, and execute
- 5: group permission, meaning that everyone in the group with ownership can only read and execute in the given directory
- 5: permission for others, meaning they can only read and execute in the given directory
Now, let’s proceed in creating a new subdirectory for our user:
$ sudo mkdir /home/Amara/projects
Furthermore, let’s set the ownership for the directory:
$ sudo chown Amara:sftpusers /home/Amara/projects
Then, we add the new set of permissions:
$ sudo chmod 755 /home/Amara/projects
By following the steps, we ensure that the new user has the appropriate rights to use sftp services.
4.3. Testing Access
Verifying the sftp access of our new user is the final step to ensuring a successful operation. However, to do this, we need to restart the server to apply all changes made.
Now, let’s restart the server:
$ sudo systemctl restart sshd
Then, we connect to the server:
$ sftp [email protected]
[email protected]'s password:
Connected to 127.0.0.1.
sftp> ls
book projects
sftp> cd projects
sftp> pwd
Remote working directory: /projects
From the example, we can see that the new sftp user, Amara, can log into the server and also access the directories made for her.
5. Conclusion
In this article, we explored how to create an sftp user in Linux. Also, we understood how to set up a server, create directories, and obtain the permissions needed to enable our users to share files using SFTP efficiently.
Creating an sftp user can make file transfer and management easier for administrators. However, it’s important to always ensure that the user operates with adequate permissions; otherwise, it can lead to security issues.