This tutorial is mainly about how to set up and use SFTP server on CentOS. Using FTP to transfer data is easy to be invaded by anonymous intruders (if TLS is not used), because its port is open to anyone. SFTP can be used as a safer alternative.
SFTP uses SSH file transfer protocol to provide a secure connection.
The tutorial will show how to provide clients with access to the SFTP server, but they cannot log in to the server itself through SSH.
1. Check whether there is SSH environment
SFTP service can be used as long as the SSH environment exists on the server. There is no need to install other programs. Run the following code for detection
rpm -qa | grep ssh
The following results show that the ssh package has been installed and SFTP can be used
[root@localhost ~]# rpm -qa|grep ssh libssh2-1.4.3-10.el7_2.1.x86_64 openssh-7.4p1-13.el7_4.x86_64 openssh-server-7.4p1-13.el7_4.x86_64 openssh-clients-7.4p1-13.el7_4.x86_64
2. Configure SFTP
We need to create a group and user to manage all SFTP accounts. First create a directory as the home directory of SFTP service. The SFTP user directory corresponds to the subdirectory under the directory.
mkdir -p /data/sftp chmod 701 /data
- Add user group
- Create the user username and add it to the sftpusers user group
useradd -g sftpusers -d /upload -s /sbin/nologin username
Add a password for this user
- Now we have a user with username in the sftpusers user group.
- -The d /upload command specifies that the SFTP root directory of the user is located on the server / data/sftp/upload
- It limits the SSH login of users through the shell and can only be accessed through SFTP
- Password set for user
- Create user usage directory and configure permissions
mkdir -p /data/sftp/upload chown -R root:sftpusers /data/sftp chown -R chown -R username:sftpusers /data/sftp/upload
Verify whether the folder under the directory / data exists and whether the configuration is correct.
ls -ld /data/ drwx-----x. 5 root root 54 Mar 22 14:29 /data/
ls -ld /data/sftp drwxr-xr-x. 3 root sftpusers 20 Mar 22 14:29 /data/sftp
ls -ld /data/sftp/upload drwxr-xr-x. 2 username sftpusers 6 Mar 22 14:29 /data/sftp/upload
cat /etc/passwd | grep username username:x:1001:1001::/upload:/sbin/nologin
User created directory using upload
mkdir -p /data/sftp/upload
Edit / etc/ssh/sshd_config configuration file, configure SSH protocol and create SFTP process.
Add the following configuration at the end of the file
Match Group sftpusers ChrootDirectory /data/sftp ForceCommand internal-sftp
Or specify the configuration for a single user
Match User username ForceCommand internal-sftp PasswordAuthentication yes ChrootDirectory /data/sftp/upload # Enable the following configuration. Anonymous login is not allowed X11Forwarding no AllowTcpForwarding no PermitTTY no ForceCommand cvs server
View sshd status
service sshd status
Redirecting to /bin/systemctl status sshd.service ● sshd.service - OpenSSH server daemon #...... Feb 26 19:32:16 JD sshd: Server listening on 0.0.0.0 port 22. Feb 26 19:32:16 JD sshd: Server listening on :: port 22.
service sshd restart
Let's create a file first
Try running the command in the SFTP environment
ls pwd lpwd exit
Now you can play happily. Try remote access
Note: if a Broken pipe error occurs, it is generally the directory permission configuration error specified by ChrootDirectory
ChrootDirectory specifies Group matching: for the folder pointed to, / data/sftp owner must be root, and the user Group must be the sftpusers user Group to which username belongs.
ChrootDirectory specifies the matching: the folder pointed to, / data/sftp owner must be username, and the user group must be the sftpusers user group to which username belongs.
From the folder pointed to by ChrootDirectory to all path folders on the system root path, the owner must be root, and the write permission of groups and users is not allowed (that is, the permission is 7xx, where x is less than 7)
If the Failed to start OpenSSH Server daemon error occurs, it is generally a configuration file error or directory permission error. You can check it through ssht -t
To access SFTP through SSH key, please refer to this article: