Enabling Linux CentOS as an SFTP

You are currently viewing Enabling Linux CentOS as an SFTP

Enabling Linux CentOS as an SFTP

Secure file transfer protocols are always needed within any network and while scp works, it’s usually slow due to the way it was designed.

SFTP can be enabled on any Linux Server that has the openssh-server installed (that’s basically any Linux Distro as most of them comes with the OpenSSH library preinstalled).

To Check if the service is available and running, use the command:

systemctl status sshd

If for any reason it was not installed, you can install it using:

yum install openssh-server

Keep in mind that SFTP just like scp runs on TCP/22.

For SFTP, you wouldn’t normally want more than SFTP access to the users using the SFTP service (no shell access); for that you would need to create a separate group for the SFTP users and add the related users to that group.

groupadd sftpusers
useradd -g sftpusers -s /sbin/nologin sftpuser

We will also need a separate folder structure for SFTP where the main folder owned by root (more on this later) and a subfolder is accessible by the sftpusers group.

mkdir -p /opt/sftp/
chown -R root:root /opt/sftp
mkdir -p /opt/sftp/sftpdirectory/
chown -R root:sftpusers /opt/sftp/sftpdirectory

 Assigning the right permissions to the sftpdirectory folder:

chmod 770 /opt/sftp/sftpdirectory/

Our final step is to modify the content of /etc/sshd/sshd_config to achieve our goal, this is done by adding the following lines at the end of the file.

Match group sftpusers
        ChrootDirectory /opt/sftp
        ForceCommand internal-sftp -d /sftpdirectory
        PasswordAuthentication yes
        PermitTunnel no
        AllowAgentForwarding no
        AllowTcpForwarding no
        X11Forwarding no

Now, please note that we are using the ChrootDirectory which is why we gave root the ownership of /opt/sftp
and on the next line we added -d /sftpdirectory this will automatically move the working SFTP directory to /sftpdirectory where our users have the appropriate permissions assigned to them (without this addition, they will have to manually change the directory to the /sftpdirectory, which is not a pleasant experience)

We can test if the service is running as expected by running:

[root@localhost /]# sftp sftpuser@localhost
sftpuser@localhost's password:
Connected to localhost.
sftp> pwd
Remote working directory: /sftpdirectory
Tags: , ,

This Post Has One Comment

  1. JuDo January 8, 2022 Reply

    Great article!

Leave a Reply