Graham Eddy

openssh-sftp Server

Install and configure openssh sftp server (not clients).

2022-07-28 Ubuntu 20.04, Raspbian bullseye

openssh has an inbuilt sftp server. openssh is presumed already installed, including for inward ssh access through firewall.

Domain users are mapped to UNIX accounts as follows:

Domain user
UNIX user
user (clearly might need disambiguation)
UNIX group
Domain directory
Domain user directory
UNIX home directory
/srv/ftp/domain – same as Domain directory for all domain users in that domain.

Each domain user individually owns their files and can change permissions, but by default all users in a domain have read/write on each others' files. There is no view of other domains.

Base configuration

graham:~ apt list openssh-server --installed openssh-server/jammy,now 1:8.9p1-3 amd64 [installed,automatic] graham:~ sudo addgroup sftp-only # group for all sftp users graham:~ sudo mkdir -p /srv/ftp # container for per-domain shares graham:~ sudo vi /etc/ssh/sshd_config
/etc/ssh/sshd_config uncomment line
Subsystem    sftp    /usr/libexec/sftp-server
append to end of file
# sftp server support
Match Group sftp-only
    PasswordAuthentication yes
    ChrootDirectory %h
    ForceCommand internal-sftp -d %u -u 007
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no
graham:~ sudo systemctl restart sshd graham:~ systemctl status sshd

Add domain

Add domain

graham:~ sudo mkdir -p /srv/ftp/ # container for this domain's shares graham:~ sudo chown root:root /srv/ftp/ graham:~ sudo chmod 755 /srv/ftp/

Add domain user to domain

Add domain user fred.nerk to domain

Note: don't put '@' in the username as that causes problems trying to compose remote execution commands.

graham:~ sudo adduser --ingroup sftp-only --shell /usr/sbin/nologin \ --no-create-home --home /srv/ftp/ --gecos '' \ --force-badname fred.nerk # add domain user Password: fred.nerk's password graham:~ sudo usermod -e expiredate 1 fred.nerk graham:~ sudo mkdir /srv/ftp/ # add share specific to this domain user graham:~ sudo chown fred.nerk:sftp-only /srv/ftp/ graham:~ sudo chmod 2775 /srv/ftp/