Setup a local SFTP server for development
OpenSSH comes with an SFTP server. First install OpenSSH Server.
sudo apt install openssh-server
Create sftponly group.
sudo groupadd sftponly
Create a directory for SFTP files. The ChrootDirectory set in sshd_config must be owned by root and only writable by root.
sudo mkdir /sftp/
sudo chown root:sftponly /sftp/
sudo chmod 2755 /sftp/
# The leading 2 is for g+s
If the ChrootDirectory is not owned by root you will get the following error:
packet_write_wait: Connection to 127.0.0.1 port 22: Broken pipe
Couldn't read packet: Connection reset by peer
Configure SFTP server
- only available from localhost
- only available to users in the
sftponlygroup /sftp/is the directory on disk
Add the following to the bottom of /etc/ssh/sshd_config
Match Group sftponly
ChrootDirectory /sftp/
ForceCommand internal-sftp
AllowTcpForwarding no
sudo service ssh restart
You can create directories inside and copy files into them and they will be owned by the sftponly group.
sudo mkdir /sftp/files/
# Allow sftponly users to upload files
sudo chmod 2775 /sftp/files/
sudo cp file /sftp/files/
You can create a new user in the sftponly group and use that user and password to login to the SFTP server.
sudo useradd -M -G sftponly $newUser
sudo passwd $newUser
# set password
sudo -u $newUser sftp localhost
To add an existing user to the group:
sudo usermod -a -G sftponly $USER
In order for your user to actually be in the sftponly group you need to log in after the usermod command.
The safest thing to do is to compare your current groups with the new groups while you are still in the current environment and can still fix it.
I forgot the -a in the usermod command and had to use GRUB to get a root terminal and add my user back to the correct groups.
groups
id
Compare with the groups after login:
su - $USER
groups
id
The only difference should be the sftponly group.