openssh-sftp-server

openssh-sftp Server

Install and configure openssh sftp server (not clients).

2022-07-28 Ubuntu 20.04, Raspbian bullseye

openssh has an inbuilt sftp server. openssh is presumed already installed, including for inward ssh access through firewall.

Domain users are mapped to UNIX accounts as follows:

Domain user: user@domain
UNIX user: user (clearly might need disambiguation)
UNIX group: sftp-only
Domain directory: /srv/ftp/domain
Domain user directory: /srv/ftp/domain/user
UNIX home directory: /srv/ftp/domain – same as Domain directory for all domain users in that domain.

Each domain user individually owns their files and can change permissions, but by default all users in a domain have read/write on each others' files. There is no view of other domains.

Base configuration

graham:~ apt list openssh-server --installed openssh-server/jammy,now 1:8.9p1-3 amd64 [installed,automatic]

Verify openssh server is installed.

graham:~ sudo addgroup sftp-only # group for all sftp users graham:~ sudo mkdir -p /srv/ftp # container for per-domain shares graham:~ sudo vi /etc/ssh/sshd_config

/etc/ssh/sshd_config uncomment line

Subsystem    sftp    /usr/libexec/sftp-server

… append to end of file

# sftp server support
Match Group sftp-only
    PasswordAuthentication yes
    ChrootDirectory %h
    ForceCommand internal-sftp -d %u -u 007
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no

graham:~ sudo systemctl restart sshd graham:~ systemctl status sshd

Verify sshd restarted cleanly.

Add domain

Add domain geddy.au.

graham:~ sudo mkdir -p /srv/ftp/geddy.au # container for this domain's shares graham:~ sudo chown root:root /srv/ftp/geddy.au graham:~ sudo chmod 755 /srv/ftp/geddy.au

Domain directory must be owned and writeable by root only.

Add domain user to domain

Add domain user fred.nerk to domain geddy.au.

Note: don't put '@' in the username as that causes problems trying to compose remote execution commands.

graham:~ sudo adduser --ingroup sftp-only --shell /usr/sbin/nologin \ --no-create-home --home /srv/ftp/geddy.au --gecos 'fred.nerk@geddy.au' \ --force-badname fred.nerk # add domain user Password: fred.nerk's password graham:~ sudo usermod -e expiredate 1 fred.nerk

Domain user is mapped directly to a UNIX system user. This might require disambiguation across domains e.g. by introducing a username prefix for a domain, or the google approach of a unique integer suffix.
Ensure UNIX login account for domain user is disabled.
Use the domain directory as the home directory for the UNIX account of all domain users in that domain. sftp access is chroot'ed jail for all those domain users i.e. all domain user can access all other users in domain but no visibility whatsoever in other domains.

graham:~ sudo mkdir /srv/ftp/geddy.au/fred.nerk # add share specific to this domain user graham:~ sudo chown fred.nerk:sftp-only /srv/ftp/geddy.au/fred.nerk graham:~ sudo chmod 2775 /srv/ftp/geddy.au/fred.nerk

Domain user home should be writeable by all users in domain.