Let’s start at the beginning; why sftp?

Well, would you transmit your private details (including your password) in plain text? No? Well, FTP does. FTP is one of several protocols on a computer that transmits usernames and passwords in plain text across the internet (POP is another one, so we advise that you use secure email connections – but that’s another post. Which I haven’t written yet). If your email is sniffed mid-transmission, the hackers can find out all about your plans to go bowling after work on Friday. But if your FTP details are sniffed mid-transmission, your entire server security is compromised. Trust me – you don’t want that to happen.

SFTP (which, despite the name, is absolutely no relation to FTP) avoids that massive security risk by transmitted everything in encrypted form. It’s much, much harder to intercept.

It’s also incredibly hard to find a good tutorial on how to set it up. So here I’ll try to fill that gap.


The Problem:

I need to set up an SFTP server so that users can log in, update their own web files, but restrict users from seeing anyone else’s files. All web folders are in the /var/www/ folder. As we don’t have any existing users, I will assign usernames that match those folders, so access to the /var/www/petetest folder will be allowed to the user petetest.

The Steps:

1. Do NOT install an FTP program such as proftpd. You just don’t need one; SFTP is handled by the SSH program which is installed by default anyway.

2. (the real step 1) In a text editor, add the following lines to /etc/ssh/sshd_config

Match Group sftpusers
 ChrootDirectory /var/www/%u
 ForceCommand internal-sftp

What’s happening in these lines? We’re looking for users who are in the group sftpusers. Nobody else will get access to the server. We’re chrooting them (i.e, Jailing the users) to the folder /var/www/{their username}. They will be able to move downwards from that folder, but not up or across. Finally, we’re telling ssh to use its own sftp program.

3. For extra credit, change the Port at the top of this file from 22 to something else (choose a port not in use. e.g 2222). This gives just one extra layer of obfuscation for the hackers to get around.

4. Restart ssh with the following command;

service ssh restart

5. Check your permissions in /var/www

Each folder within /var/www should be owned by root:root, and have the permissions drwxr-xr-x applied to them.

The public folder (i.e the one which the web files are stored in) should be owned by www-data:www-data, and have the permissions drwxr-xr-x

6. Add the user to the correct groups

groupadd sftpusers
usermod -a -G sftpusers {username}
usermod -a -G www-data {username}

7. Try to connect.

The first time you connect, you may get a message such as ‘The server’s host key is unknown. You have no guarantee that the server is the computer you think it is.”. If so, check the host and port, and if they match, you can trust the host.

Common Issues

Note that you cannot chroot to the level of your public html folder – you must be one level above – otherwise you’ll NEVER get the permissions correct. It’s a security issue.

If you can see the folder, but you cannot SFTP a file into it – you don’t have the permissions set correctly. Add the ‘w’ permission to the group www-data.