1. Home
  2. How to setup an SFTP server on CentOS
  1. Home
  2. How to setup an SFTP server on CentOS

How to setup an SFTP server on CentOS

1. Preliminary Note :-

Using CentOS 7 in the 64bit version. Same steps will work on CentOS 6 as well.

2. SFTP Installation :-

Run:

# rpm -qa|grep ssh

[root@localhost ~]# rpm -qa|grep ssh
libssh2-1.4.3-10.el7_2.1.x86_64
openssh-7.4p1-13.el7_4.x86_64
openssh-server-7.4p1-13.el7_4.x86_64
openssh-clients-7.4p1-13.el7_4.x86_64

3.- SFTP Configuration

Need to create a group and user so that we can manage all user that shall get SFTP access. But first, we have to create an additional folder called data.

# mkdir -p /data/sftp
# chmod 701 /data

create a group for the SFTP user

# groupadd sftpusers

Then create a user ‘howtoforge’ and assign it to the SFTPUSERS group.

# useradd -g sftpusers -d /upload -s /sbin/nologin mysftpuser
# passwd mysftpuser

Changing password for user mysftpuser.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Explanation of the above commands:

  1. I create a user and include the user into sftpusers group using -g command.
  2. I assign the main directory for the user to be in the /upload directory by setting the -d /upload command. This means that later the /upload folder will be under /data/mysftpuser/upload.
  3. I limit the access to the /sbin/nologin shell to ensure the user is only able to use the SFTP protocol, not SSH.
  4. I name the user “mysftpuser”.
  5. Set password for user “mysftpuser”.

need to create the /upload folder under /data/mysftpuser, then assign appropriate ownership to the folder.

# mkdir -p /data/mysftpuser/upload
# chown -R root:sftpusers /data/mysftpuser
# chown -R mysftpuser:sftpusers /data/mysftpuser/upload

Verify the directory /data exists and that we made the configuration correct.

[root@localhost ~]# ls -ld /data/
drwx—–x. 5 root root 54 Mar 22 14:29 /data/

[root@localhost ~]# ls -ld /data/mysftpuser
drwxr-xr-x. 3 root sftpusers 20 Mar 22 14:29 /data/mysftpuser

[root@localhost ~]# ls -ld /data/mysftpuser/upload
drwxr-xr-x. 2 mysftpuser sftpusers 6 Mar 22 14:29 /data/mysftpuser/upload

[root@localhost ~]# cat /etc/passwd|grep mysftpuser
mysftpuser:x:1001:1001::/upload:/sbin/nologin

Now configure the SSH protocol to create an SFTP process. This can be done by editing the configuration file under /etc/ssh/sshd_config.

Below are the steps:

# nano /etc/ssh/sshd_config

Add the following lines at the end of the file.

Match Group sftpusers
ChrootDirectory /data/%u
ForceCommand internal-sftp

Once done restart the SSH services, below are the steps:

# service sshd status

service sshd restart

4. Testing SFTP: –

If your client server didn’t have it you may download and install it with yum as shown below:

yum list nmap

# yum install nmap -y

You’ll notice that currently on our SFTP server, the only open port is SSH 22. Now, let’s try to access the SFTP server (IP: 192.168.1.100 in my case) from TEST01 client.

[root@TEST01 /] # sftp [email protected]

Now let’s try to get a file from the SFTP server directory into our testing client. First, let’s create a test file under /data/mysftpuser/upload.

# cd /data/mysftpuser/upload
# touch testing_file.txt

Then go back to our testing site TEST01 and see if we able to get and download the created file.

[root@TEST01 /]# sftp [email protected]

[email protected]’s password:
Connected to 192.168.1.100.
sftp> pwd
Remote working directory: /upload
sftp> ls
testing_file.txt
sftp> get testing_file.txt
Fetching /upload/testing_file.txt to testing_file.txt
sftp> quit

Excellent! Our SFTP test has been successful, let’s try to access SSH using the user mysftpuser. As previously, we’ve set configuration as /sbin/nologin, therefore the user won’t be able to use SSH services:

[root@TEST01 ~]# ssh [email protected]
[email protected]’s password:
This service allows sftp connections only.
Connection to 192.168.1.100 closed.

Now we have a secured SFTP server up and running.

 

 

Updated on March 11, 2020

Was this article helpful?