Linux builds SFTP services and CentOS builds SFTP services

https://www.howtoforge.com/tutorial/how-to-setup-an-sftp-server-on-centos/

This tutorial is mainly about how to set up and use SFTP server on CentOS. Using FTP to transfer data is easy to be invaded by anonymous intruders (if TLS is not used), because its port is open to anyone. SFTP can be used as a safer alternative.

SFTP uses SSH file transfer protocol to provide a secure connection.

The tutorial will show how to provide clients with access to the SFTP server, but they cannot log in to the server itself through SSH.
1. Check whether there is SSH environment

SFTP service can be used as long as the SSH environment exists on the server. There is no need to install other programs. Run the following code for detection

rpm -qa | grep ssh

The following results show that the ssh package has been installed and SFTP can be used

[root@localhost ~]# rpm -qa|grep ssh
libssh2-1.4.3-10.el7_2.1.x86_64
openssh-7.4p1-13.el7_4.x86_64
openssh-server-7.4p1-13.el7_4.x86_64
openssh-clients-7.4p1-13.el7_4.x86_64
2. Configure SFTP

We need to create a group and user to manage all SFTP accounts. First create a directory as the home directory of SFTP service. The SFTP user directory corresponds to the subdirectory under the directory.

mkdir -p /data/sftp 
chmod 701 /data
  1. Add user group
groupadd sftpusers
  1. Create the user username and add it to the sftpusers user group
useradd -g sftpusers -d /upload -s /sbin/nologin username

Add a password for this user

passwd username
  • Now we have a user with username in the sftpusers user group.
  • -The d /upload command specifies that the SFTP root directory of the user is located on the server / data/sftp/upload
  • It limits the SSH login of users through the shell and can only be accessed through SFTP
  • Password set for user
  1. Create user usage directory and configure permissions
mkdir -p /data/sftp/upload
chown -R root:sftpusers /data/sftp
chown -R chown -R username:sftpusers /data/sftp/upload

Verify whether the folder under the directory / data exists and whether the configuration is correct.

ls -ld /data/
drwx-----x. 5 root root 54 Mar 22 14:29 /data/
ls -ld /data/sftp
drwxr-xr-x. 3 root sftpusers 20 Mar 22 14:29 /data/sftp
ls -ld /data/sftp/upload
drwxr-xr-x. 2 username sftpusers 6 Mar 22 14:29 /data/sftp/upload
cat /etc/passwd | grep username
username:x:1001:1001::/upload:/sbin/nologin

User created directory using upload

mkdir -p /data/sftp/upload

Edit / etc/ssh/sshd_config configuration file, configure SSH protocol and create SFTP process.

vi /etc/ssh/sshd_config

Add the following configuration at the end of the file

Match Group sftpusers
ChrootDirectory /data/sftp
ForceCommand internal-sftp

Or specify the configuration for a single user

Match User username
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /data/sftp/upload
# Enable the following configuration. Anonymous login is not allowed
X11Forwarding no
AllowTcpForwarding no
PermitTTY no
ForceCommand cvs server

View sshd status

service sshd status
Redirecting to /bin/systemctl status sshd.service
‚óŹ sshd.service - OpenSSH server daemon
#......
Feb 26 19:32:16 JD sshd[30788]: Server listening on 0.0.0.0 port 22.
Feb 26 19:32:16 JD sshd[30788]: Server listening on :: port 22.

Restart service

service sshd restart

Let's create a file first

touch /data/sftp/test.tst

Start SFTP

sftp username@127.0.1

Try running the command in the SFTP environment

ls
pwd
lpwd
exit

Now you can play happily. Try remote access

Note: if a Broken pipe error occurs, it is generally the directory permission configuration error specified by ChrootDirectory

ChrootDirectory specifies Group matching: for the folder pointed to, / data/sftp owner must be root, and the user Group must be the sftpusers user Group to which username belongs.
ChrootDirectory specifies the matching: the folder pointed to, / data/sftp owner must be username, and the user group must be the sftpusers user group to which username belongs.
From the folder pointed to by ChrootDirectory to all path folders on the system root path, the owner must be root, and the write permission of groups and users is not allowed (that is, the permission is 7xx, where x is less than 7)

If the Failed to start OpenSSH Server daemon error occurs, it is generally a configuration file error or directory permission error. You can check it through ssht -t

sshd -t 

To access SFTP through SSH key, please refer to this article:

https://tufora.com/tutorials/linux/general/setup-an-sftp-server-on-centos

Tags: Front-end Linux CentOS sftp ssh

Posted by nagasea on Fri, 15 Apr 2022 00:01:16 +0300