Main Page

Sunday, 14 February 2021

Install and configure SFTP ( Allow only SFTP not SSH )

 1) Create a group 

[root@linuxhost ~]# groupadd sftpusers

2) Create a directory

[root@linuxhost ~]# mkdir -p /var/www/nfsdata

[root@linuxhost ~]# ls -ld /var/www/nfsdata/
drwxr-xr-x. 2 root root 6 Feb 14 06:31 /var/www/nfsdata/

3) Create a user and assign the password

[root@linuxhost ~]# useradd -g sftpusers -d /var/www/nfsdata -s /sbin/nologin bandaru
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.

[root@linuxhost ~]# passwd bandaru
Changing password for user bandaru.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

4) Add the following configurations in /etc/ssh/sshd_config ( Any user is part of sftpusers will allow sftp connection )

Subsystem       sftp    internal-sftp
Match Group sftpusers
ChrootDirectory /var/www/nfsdata
ForceCommand internal-sftp
PasswordAuthentication yes
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

5) Restart sshd and check the status

[root@linuxhost ~]# systemctl restart sshd

[root@linuxhost ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2021-02-14 06:39:07 EST; 7s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 2369 (sshd)
    Tasks: 1 (limit: 11343)
   Memory: 1.1M
   CGroup: /system.slice/sshd.service
           └─2369 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,a>

Feb 14 06:39:07 linuxhost systemd[1]: Stopped OpenSSH server daemon.
Feb 14 06:39:07 linuxhost systemd[1]: Starting OpenSSH server daemon...
Feb 14 06:39:07 linuxhost sshd[2369]: Server listening on 0.0.0.0 port 22.
Feb 14 06:39:07 linuxhost sshd[2369]: Server listening on :: port 22.
Feb 14 06:39:07 linuxhost systemd[1]: Started OpenSSH server daemon.

6) Check the sftp connection

[root@linuxhost ~]# sftp bandaru@localhost
bandaru@localhost's password:
Connected to bandaru@localhost.
sftp> ls
sftp> bye


7) Verify if ssh is not allowed

[root@linuxhost ~]# ssh bandaru@localhost
bandaru@localhost's password:
This service allows sftp connections only.
Connection to localhost closed.




No comments:

Post a Comment