https://dikapediav2.com/wiki/index.php?action=history&feed=atom&title=SFTPSFTP - Revision history2026-05-15T09:11:16ZRevision history for this page on the wikiMediaWiki 1.41.0https://dikapediav2.com/wiki/index.php?title=SFTP&diff=167&oldid=prevArdika Sulistija: Created page with " <B>SFTP</B> - Secure File Transfer Protocol ---- To open an SFTP connection to a remote system, use the sftp command followed by the remote server username and the IP address or domain name: sftp remote_username@server_ip_or_hostname Once connected, you will be presented with the sftp prompt, and you can start interacting with the remote machine: # To 'get' Download file usin SFTP from remote server to your local machine. sftp> get [file] # To 'put Upload f..."2024-09-11T14:25:48Z<p>Created page with " <B>SFTP</B> - Secure File Transfer Protocol ---- To open an SFTP connection to a remote system, use the sftp command followed by the remote server username and the IP address or domain name: sftp remote_username@server_ip_or_hostname Once connected, you will be presented with the sftp prompt, and you can start interacting with the remote machine: # To 'get' Download file usin SFTP from remote server to your local machine. sftp> get [file] # To 'put Upload f..."</p>
<p><b>New page</b></p><div><br />
<br />
<B>SFTP</B> - Secure File Transfer Protocol <br />
<br />
----<br />
<br />
<br />
To open an SFTP connection to a remote system, use the sftp command followed by the remote server username and the IP address or domain name:<br />
sftp remote_username@server_ip_or_hostname<br />
<br />
<br />
Once connected, you will be presented with the sftp prompt, and you can start interacting with the remote machine:<br />
# To 'get' Download file usin SFTP from remote server to your local machine.<br />
sftp> get [file]<br />
<br />
# To 'put Upload file using SFTP from local machine to remote server.<br />
sftp> put [file]<br />
<br />
# Other useful commands:<br />
sftp> help<br />
sftp> pwd<br />
sftp> ls<br />
sftp> cd /tmp<br />
sftp> cd lpwd # To print local working directory<br />
sftp> mkdir directory_name # Create a new directory on remote server<br />
sftp> rename [file] # Rename a file on remote server<br />
<br />
<br />
<br />
==== Detailed steps of restricted SFTP-only access to a single directory====<br />
----<br />
<br />
<br />
There are many similar cases that customers (usually Wordpress users ) want to restrict some of their users only have the access to a single directory. I would like to put them together in case some of our customers ask for the detail steps rather than refer to the third-party website:<br />
<br />
1. Create a New Group<br />
<br />
Create a group called sftpusers. Only users who belong to this group will be automatically restricted to the SFTP chroot environment on this system.<br />
<br />
$ sudo su<br />
<br />
<br />
# groupadd sftpusers<br />
<br />
2. Create Users (or Modify Existing User)<br />
<br />
Let us say you want to create an user guestuser who should be allowed only to perform SFTP in a chroot environment, and should not be allowed to perform SSH.<br />
<br />
The following command creates guestuser, assigns this user to sftpusers group, make /incoming as the home directory, set /sbin/nologin as shell (which will not allow the user to ssh and get shell access).<br />
<br />
# useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser<br />
<br />
<br />
# passwd guestuser (eg: 12345678 )<br />
<br />
<br />
Verify that the user got created properly.<br />
<br />
# grep guestuser /etc/passwd<br />
<br />
<br />
guestuser:x:500:500::/incoming:/sbin/nologin<br />
<br />
<br />
If you want to modify an existing user and make him an sftp user only and put him in the chroot sftp jail, do the following:<br />
<br />
# usermod -g sftpusers -d /incoming -s /sbin/nologin <current user name> <br />
<br />
<br />
3. Setup sftp-server Subsystem in sshd_config<br />
<br />
<br />
You should instruct sshd to use the internal-sftp for sftp (instead of the default sftp-server). Modify the the /etc/ssh/sshd_config file and comment out the following line:<br />
<br />
#Subsystem sftp /usr/libexec/openssh/sftp-server<br />
<br />
Next, add the following line to the /etc/ssh/sshd_config file<br />
<br />
#Subsystem sftp /usr/libexec/openssh/sftp-server<br />
<br />
<br />
Subsystem sftp internal-sftp<br />
<br />
<br />
4. Specify Chroot Directory for a Group<br />
<br />
<br />
You want to put only certain users (i.e users who belongs to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config<br />
<br />
<br />
Match Group sftpusers<br />
<br />
ChrootDirectory /sftp/%u<br />
<br />
ForceCommand internal-sftp<br />
<br />
PasswordAuthentication yes<br />
<br />
<br />
So this configuration will allow this current user “guestuser” sftp to the instance with password instead of using the same ssh key pair.<br />
<br />
<br />
5. Create sftp Home Directory<br />
<br />
Since we’ve specified /sftp as ChrootDirectory above, create this directory (which iw equivalent of your typical /home directory).<br />
<br />
# mkdir /sftp<br />
<br />
Now, under /sftp, create the individual directories for the users who are part of the sftpusers group. i.e the users who will be allowed only to perform sftp and will be in chroot environment.<br />
<br />
<br />
# mkdir /sftp/guestuser<br />
<br />
<br />
So, /sftp/guestuser is equivalent to / for the guestuser. When guestuser sftp to the system, and performs “cd /”, they’ll be seeing only the content of the directories under “/sftp/guestuser” (and not the real / of the system). This is the power of the chroot.<br />
<br />
<br />
So, under this directory /sftp/guestuser, create any subdirectory that you like user to see. For example, create a incoming directory where users can sftp their files.<br />
<br />
<br />
# mkdir /sftp/guestuser/incoming<br />
<br />
<br />
6. Setup Appropriate Permission<br />
<br />
<br />
For chroot to work properly, you need to make sure appropriate permissions are setup properly on the directory you just created above.<br />
<br />
<br />
Set the owenership to the user, and group to the sftpusers group as shown below.<br />
<br />
<br />
# chown guestuser:sftpusers /sftp/guestuser/incoming<br />
<br />
<br />
The permission will look like the following for the incoming directory.<br />
<br />
# ls -ld /sftp/guestuser/incoming<br />
<br />
drwxr-xr-x 2 guestuser sftpusers 4096 Dec 28 23:49 /sftp/guestuser/incoming<br />
<br />
<br />
The permission will look like the following for the /sftp/guestuser directory<br />
<br />
<br />
# ls -ld /sftp/guestuser<br />
<br />
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp/guestuser<br />
<br />
# ls -ld /sftp<br />
<br />
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
***********************************************************************************************************************<br />
<br />
<br />
For WordPress user:<br />
<br />
<br />
Mount-> the source directory /sftp/guestuser/ to the target directory /www/var/html/mysite<br />
<br />
<br />
# chown guestuser:sftpusers /www/var/html/mysite<br />
<br />
<br />
Check the mount:<br />
<br />
#mount -l<br />
<br />
#mount -R /var/www/html/mysite /sftp/guestuser/incoming/<br />
<br />
<br />
7. Restart sshd and Test Chroot SFTP<br />
<br />
<br />
Restart sshd:<br />
<br />
# service sshd restart<br />
<br />
<br />
Test chroot sftp environment. As you see below, when gusetuser does sftp, and does “cd /”, they’ll only see incoming directory that mounted on /var/www/html/mysite.<br />
<br />
<br />
Connect the instance:<br />
<br />
$ sftp guestuser@<IP address><br />
<br />
guestuser@<IP address>'s password: ********<br />
<br />
<br />
Refer:<br />
<br />
http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
[+][https://linuxize.com/post/how-to-use-linux-sftp-command-to-transfer-files/ Click here for more info/examples]</div>Ardika Sulistija