SFTP : Secure file transfer

One can see SFTP like FTP over SSH. Of course, it's a bit more than that 😉. It can continue partial transfer as example.

If you have an SSH access to your server, you can sftp 😄.

If you want to provide an SFTP server for multiple users, using a chroot might be helpful to keep everyone's data safe from others. We'll talk about it later.

sftp usage

To copy files with the user account "batman", start a new sftp session :

$ sftp batman@athome.tld

If you configured key authentication (good idea!), use -i flag :

$ sftp -i ~/.ssh/sshkey batman@athome.tld

Now you're in front of a prompt. You can enter commands such as :

And also cd, mkdir, quit and help to get a list of availables commands.

One can prefer to use a graphical tool to deal with sftp. Look at Filezilla on WinSCP for SFTP clients.

Also, most file manager can handle sftp protocol. Try to open a path like :

sftp://batman@athome.tld:<port_number>

At least Gnome, KDE and XFCE default file browser can do this.

However, if your file manager don't support SFTP, you still can use "sshfs" to mount a remote SFTP location as any other mountpoints.

$ sshfs -d batman@athome.tld:/remote/dir /home/batman/sftp \
    -o IdentityFile=/home/batman/.ssh/sshkey

chrooted SFTP

To share a storage space between users, you might want to lock them is a specific directory. Doing so, they can't reach other files above their own dedicated repertory. It is interesting to keep everyone's data out of sight of the others, but also avoir sftp users to reach system files. This is called "chroot".

In other words, if an user is chrooted in "/var/sftp/batman", he can't read "/var/sftp" nor "/var" and even less "/". for this user, "/var/sftp/batman" is the new root "/".

For the example, we'll chroot every sftp users in "/var/sftp/user_name". You'll need to make the appropriates directories. They will all belong to a group named "sftpusers" in order to automatically chroot them when they sftp.

Create this groupe :

# groupadd sftpusers

Then, edit "/etc/ssh/sshd_config" to chroot every user belonging to group sftpusers in "/var/sftp"

Match Group sftpusers
      ChrootDirectory /var/sftp/
      ForceCommand internal-sftp
      AllowTcpForwarding no

Note you can do the same for a specific user : you just use a section "Match User" instead.

If you wish users to authenticate using keys, then add to the above section :

PasswordAuthentication no

Reload ssh with "# rcctl reload sshd".

Now make appropriate directories with required permissions for the chroot (this is critical):

# mkdir -p /var/sftp
# chown root:wheel /var/sftp
# chmod 700 /var/sftp

Read the next part to see how to create sftp users and their own directories.

Add sftp users

Any regular account belonging to sftpusers group will match the above rule. You might consider to restrict even more the access to sftp users :

# install -d -o new_user -g new_user -m 700 "/var/sftp/home/new_user"

Now, new_user is chrooted in "/var/sftp/home/new_user" when he log in using sftp.

If you enable key authentication, then you'll have to fill the file "/home/user/.ssh/authorized_keys" with user's ssh public key. ⚠ I'm reffering to the file "/home/user/.ssh/authorized_keys", NOT "/var/sftp/home/user/.ssh/authorized_keys".