Niladic Podcast

Setup a local SFTP server for development

OpenSSH comes with a SFTP server. First install OpenSSH Server.

sudo apt install openssh-server

Create sftponly group

sudo groupadd sftponly

Create the SFTP directory. The ChrootDirectory set in sshd_config must be owned by root and only writeable by root.

sudo mkdir /sftp/
sudo chown root:sftponly /sftp/
sudo chmod 2755 /sftp/
# The leading 2 is for g+s

If the ChrootDirectory is not owned by root you will get the following error:

packet_write_wait: Connection to 127.0.0.1 port 22: Broken pipe
Couldn't read packet: Connection reset by peer

Configure SFTP server

  • only available from localhost
  • only available to users in the sftponly group
  • /sftp/ is the directory on disk

Add the following to the bottom of /etc/ssh/sshd_config

Match Group sftponly
    ChrootDirectory /sftp/
    ForceCommand internal-sftp
    AllowTcpForwarding no
sudo service ssh restart

You can create directories inside and just copy files into them and they will be owned by the sftponly group.

sudo mkdir /sftp/files/
# Allow sftponly users to upload files
sudo chmod 2775 /sftp/files/
sudo cp file /sftp/files/

You can create a new user in the sftponly group and use that user and password to login to the SFTP server.

sudo useradd -M -G sftponly $newUser
sudo passwd $newUser
# set password
sudo -u $newUser sftp localhost

To add your user to the group

sudo usermod -a -G sftponly $USER

In order for your user to actually be in the sftponly group you need to log in after the usermod command. The safest thing to do is to compare your current groups with the new groups while you are still in the current environment. I forgot the -a in the usermod command and had to use GRUB to get a root terminal and add my user back to the correct groups.

groups
id

With the groups after login

su - $USER
groups
id

The only difference should be the sftponly group.