Configure the SFTP server on Linux (CentOS)

  • 2020-05-27 08:00:39
  • OfStack

Compared with the traditional ftp service, SFTP is more convenient and secure. After installing ssh in the general system 1, the service is installed by default.

However, the SFTP account is based on the SSH account (that is, the system account), and the access to the server is large by default. The following tutorial will teach you to restrict access to the SFTP account as ftp does.

Necessary conditions:

Your version of openssh-server is at least 4.8p1, because the configuration permissions require the new configuration item ChrootDirectory added to the version to do this.

How do I view the version of ssh on my own server? Try the following command

$ ssh -V

Specific implementation steps

We need to create a user group specifically for sftp users

$ groupadd sftpusers

We create a user test

$ useradd -s /bin/false -G sftpusers test

Note that we have set the shell of the test user to /bin/false so that he does not have access to shell


Find the Subsystem configuration item and change it to

Subsystem sftp internal-sftp

Why use internal-sftp instead of the default sftp-server is this:

This is the sftp service within a process. When the user ChrootDirectory, no files will be requested.

Better performance without having to open another process for sftp.

Then go to the end of the file and add the configuration Settings so that users belonging to the sftpusers group can only access their own home folder

#  Match user groups, if multiple groups are to be matched, the groups are separated by commas 
Match Group sftpusers

#  Specify the logged-in user to your own user directory 
ChrootDirectory %h

#  The specified  sftp  The command 
ForceCommand internal-sftp

#  These two lines are added if you don't want the user to be able to use port forwarding, otherwise delete 
X11Forwarding no
AllowTcpForwarding no

Save and close the file

Modify the permissions of the test user home folder so that it belongs to the root user

chown root ~test

Restart the sshd service

$ service sshd restart
#  or 
$ systemctl restart sshd

Test user account

$ ssh test@localhost

The connection will be denied or unable to log in

$ sftp tesst@localhost

Once you log in, you'll find that you can't switch your account to anything other than your home directory

Frequently asked questions:

If you link to a server, the following prompt appears:

> Write failed: Broken pipe   
> Couldn't read packet: Connection reset by peer

The reason for this problem is the permission problem of ChrootDirectory. The directory you set must be owned by root users, otherwise there will be a problem. So make sure that the sftp user root is owned by root with 750 or 755 permissions. Note the following two principles:

Directory owners can only be root up to the root of the system, and user groups can not be root.
You can't have group write permissions until you go from directory 1 up to system root

Configure the sftp plug-in for sublime text3

Practical st3 package tool search to install sftp, you can participate in the following articles:

sublime text3 installs and configures the sftp plug-in

$ groupadd sftpusers

remote_path and ftp are different. ftp is the directory and subdirectory that can be seen remotely. sftp refers to the directory path on the remote server such as /home/html.

Set upload_on_save to true, and it will be automatically uploaded to the server when you save it.

Setting sync_down_on_open to true will automatically download the remote file to update the local file when you open the local file editing.

Related articles: