In this guide we are going to set up an sftp server on an Arch Linux
system. We will also set up a form of chroot where users can only access
sftp with the shared credentials.
The File Transfer Protocol is a standard communication protocol used
for the transfer of computer files from a server to a client on a
computer network.
FTP isn’t popular today because it Lacks Security. When a file is
sent using this protocol, the data, username, and password are all
shared in plain text, which means a hacker can access this information
with little to no effort. For data to be secure, you need to use an
upgraded version of FTP like SFTP.
SFTP Secure File Transfer Protocol is a file transfer protocol that
provide secure access to a remote computer to deliver secure
communications. It leverages SSH – Secure Socket Shell and is frequently
also referred to as ‘Secure Shell File Transfer Protocol’.
$ sudo systemctl status sshd ● sshd.service - OpenSSH Daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2021-12-03 10:19:02 UTC; 17min ago Main PID: 467 (sshd) Tasks: 1 (limit: 4606) Memory: 5.0M CGroup: /system.slice/sshd.service └─467 sshd: /usr/bin/sshd -D [listener] 0 of 10-100 startups
Dec 04 14:53:30 ip-10-2-40-103 sshd[13109]: Unable to negotiate with 141.98.10.246 port 34078: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exc> Dec 04 14:53:42 ip-10-2-40-103 sshd[13111]: Unable to negotiate with 141.98.10.246 port 38674: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exc> Dec 04 14:53:53 ip-10-2-40-103 sshd[13115]: Unable to negotiate with 141.98.10.246 port 43268: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exc> Dec 04 14:54:05 ip-10-2-40-103 sshd[13117]: Unable to negotiate with 141.98.10.246 port 47864: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exc> Dec 04 14:54:17 ip-10-2-40-103 sshd[13119]: Unable to negotiate with 141.98.10.246 port 52460: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exc> Dec 04 14:54:41 ip-10-2-40-103 sshd[13123]: Unable to negotiate with 141.98.10.246 port 33418: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exc> Dec 04 14:54:53 ip-10-2-40-103 sshd[13127]: Unable to negotiate with 141.98.10.246 port 38014: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exc> Dec 04 14:55:05 ip-10-2-40-103 sshd[13129]: Unable to negotiate with 141.98.10.246 port 42614: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exc> Dec 04 15:16:10 ip-10-2-40-103 sshd[13191]: Received disconnect from 61.177.173.21 port 60983:11: [preauth] Dec 04 15:16:10 ip-10-2-40-103 sshd[13191]: Disconnected from authenticating user root 61.177.173.21 port 60983 [preauth]
Now that we have installed the necessary software and created the
users and groups, let us configure ssh.
Ensure password authentication is enabled for ssh. Edit the config
file here /etc/ssh/sshd_config:
1
sudo vim /etc/ssh/sshd_config
Then ensure this line is not commented:
1
PasswordAuthentication yes
Next, we need to add rules for the users in
the sftpusers group to be considered as sftp. Edit the
config file:
1
sudo vim /etc/ssh/sshd_config
Add this content at the bottom of the file:
1 2 3 4 5
Match Group sftpusers X11Forwarding no AllowTcpForwarding no ChrootDirectory /srv/sftp ForceCommand internal-sftp
Then restart sshd to reload the config:
1
sudo systemctl restart sshd
Verify that sshd is running as expected:
1 2 3 4 5 6 7 8 9 10 11 12 13
$ sudo systemctl status sshd ● sshd.service - OpenSSH Daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2021-12-04 15:48:19 UTC; 18s ago Main PID: 14269 (sshd) Tasks: 1 (limit: 4606) Memory: 892.0K CGroup: /system.slice/sshd.service └─14269 sshd: /usr/bin/sshd -D [listener] 0 of 10-100 startups
Dec 04 15:48:19 ip-10-2-40-103 systemd[1]: Started OpenSSH Daemon. Dec 04 15:48:19 ip-10-2-40-103 sshd[14269]: Server listening on 0.0.0.0 port 22. Dec 04 15:48:19 ip-10-2-40-103 sshd[14269]: Server listening on :: port 22.
Now we have sftp server up and running with a user configured!
The users will be able to login to the server and access files and
directories located in their home directory. If you want to give the
user to other directories outside their own directory, just make sure
the user has enough rights to access. These directories and files have
to be within the sftp directory – /srv/sftp.
Example: if i want user to access the
directory /srv/sftp/paymentfiles, do the following:
Create the directory
1
sudo mkdir /srv/sftp/paymentfiles
Then assign the user(citizix) access by making them own
the directory: