How To Install And Configure SFTP In Redhat/Centos 7/8

In this guide we will try to configure SFTP server in our CentOS 8 Linux. By default you dont need to configure SFTP for normal operations. That means any user who can remotely login to server via SSH can also access the SFTP server. The default directory will be user's home directory. But users are free to roam with in server root file system. That is a security breach. To tackle this issue you have to make some changes in your /etc/ssh/sshd_config file. But before this, lets try to know what is FTP and SFTP and how they are differ from each other.

FTP : File Transfer Protocol aka FTP is an insecure network protocol which is used to transfer (download/upload) data over network in a plain text format from one system to another system.

SFTP : SFTP (SSH File Transfer Protocol) is an in-built network protocol, usually run as SSH subsystem , that provides file transfer operations.SFTP-Server module is used to implemets with SSH-Server for this process . SFTP-Server does not interact directly to provide its services so it integreted with SSH by using internal-sftp subsystem. Basic SFTP service requires no additional setup.

And in this guide, We setup and configure the SFTP server with multiple scenarios.

Pre-Requisite: A CentOS-Redhat 7/8 operating system with installed openssh-server and openssh-clients packages.

To check this run below command.

rpm -qa openssh-server
rpm -qa openssh-clients

Scenarios 1

Configure SFTP server with chroot environment with password authentication and restrict SSH for a user

In our this scenario, We will configure SFTP server to allow only specified user to access SFTP within their specified directory path without allowing SSH login and root files system access (chroot). To accomplish this we have to follow below steps. lets start...

1) Create a user named "sftpuser" which will be used to authenticate by our clients in order to access our SFTP server

adduser sftpuser
passwd sftpuser

2) Now create a directory named downloads which will be serve to transfer files by SFTP server.

mkdir -p /var/sftp/downloads

3) Now we have to set permissions for our /var/sftp/ and /var/sftp/downloads so clients have appropriate permissions over files and directories.

chmod 755 /var/sftp
chown root:root /var/sftp
chown sftpuser:sftpuser /var/sftp/downloads

In above step , root has ownership and full permissions over /var/sftp/ directory and other only have read and execute permissions and sftpuser has full permissions and ownership over /var/sftp/downloads.

6) Now edit the /etc/ssh/sshd_config file and append below lines.


1) If you want to setup SSH key base authentication then use ssh-copy-id command to transfer the public key to server before editing the sshd_conf file and remove the PasswordAuthentication line from the below configuration.

2) Commented out the existing Subsystem directive then append below one before any Match directive

Subsystem sftp internal-sftp

Match User sftpuser
ForceCommand internal-sftp -d /downloads
PasswordAuthentication yes
ChrootDirectory /var/sftp/
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

Lets understand the above configuration

a) Subsystem> Configures an external subsystem (e.g. file transfer daemon). The name internal-sftp implements an in-process SFTP server(dont run sftp-server process separately). This may simplify configurations using ChrootDirectory to force a different filesystem root on clients

b) Match is the condition which tells the server to run the SFTP services only if the options/keywords define under "match" block statisfied.

c) User User option tells that only specified users are allowed to access SFTP server, supply names with spaces between each of them if you want to add more than one user.

d) ForceCommand Forces the execution of the command specified by ForceCommand and ignore any command supplied by client. This will restrict the user to execute any command except specified one.

e) ChrootDirectory Specify the chroot path for the SFTP clients so they can not access any directory beyond defined one

f) PermitTunnel Specifies whether psudo network tunnel device forwarding is allowed or not

g) AllowAgentForwarding AllowTcpForwarding X11Forwarding : Specifies whether ssh-agent , TCP port , and X11 display server forwarding services are allowed or not

7) Now restart the sshd services. And adjust firewall settings.

sudo systemctl restart sshd.service
sudo firewall-cmd --permanent --add-port=22/tcp

8) Try to access the SFTP server from client machine or from same machine with sftpuser username.

In above example picture, You can see that we have configured our SFTP server to access only specified directory with in chroot environment.

9) Try to remote login to server by SSH command.

You will get error as shown in above example.

This is how you can configure the SFTP server for a user/s with chroot environment

Scenario 2

Now we will configure our SFTP server with multiuple users(group) within their own saperated directory paths with chroot environment. User will not able to go beyond that directory path and can not modify another user's files. Lets start...

I have created two user accounts named clinet1 and client2 for this scenario & set password for both accounts and now we have to add these users to a new group. lets do it...

1) First of all create a new group for our SFTP server

groupadd sftpgrp

2) Add your sftp users to this new group

usermod -aG sftpgrp client1
usermod -aG sftpgrp client2

3) Now create a new directory which will act as root directory for our chroot jailed user.

mkdir -p /var/sftp/users/

4) Create new directory for each user under the chroot /var/sftp/users/ directory

mkdir -p /var/sftp/users/client1/
mkdir -p /var/sftp/users/client2/

5) Change the permissions for our newly created directories accordingly.

chmod 755 /var/sftp
chown root:root /var/sftp
chmod 755 /var/sftp/users
chown root:sftpgrp /var/sftp/users
chmod 750 /var/sftp/users/client1
chown -R client1:client /var/sftp/users/client1
chmod 750 /var/sftp/users/client2
chown -R client2:client2 /var/sftp/users/client2

6) Now open the /etc/ssh/sshd_config file and append the below configuration under it. If you want to set SSH key base login then do it before editing sshd_config file.

Subsystem sftp internal-sftp

Match Group sftpgrp
ForceCommand internal-sftp -d %u
PasswordAuthentication yes
ChrootDirectory /var/sftp/users/

Lets understand the configuration options

a) Group directive specify the group name for this Match block

b) ForceCommand directive specify the commands to execute by group users

c) -d option is used to "start/directory/path" for login account and %u token is for "login-account-username". That means SFTP command will redirect login user to specified directory with in its username directory.

d) ChrootDirectory specify the change root path for our SFTP server.

Note: Please comment out the existingSubsystem directive line from the sshd configuration file

7) Restart the sshd services & setup firewall rules.

systemctl restart sshd

8) try out SFTP server from local or remote machine.

sftp client1@localhost
sftp client2@localhost

Test your configuration e.g browsing another user's home directory and try to create some files or try to access / root file system or beyond the chroot environment.

9) Exit from SFTP server and Try out access SSH login using same user.

ssh client1@localhost

Thats how you can configure SFTP for multiple users with separated directories

Scenario 3

In above scenarios we have seen that how to configure SFTP to allow users and groups to access the File-Server within its jailed chroot environment. But what if you need to restrict an user account to access a SFTP server. In our this scenario we will configure our SFTP server to restrict an user account to access the SFTP server. This will restrict any user account to access server either using SFTP or SSH then we configure SFTP server to allow user to only access SSH and restrict to access SFTP file server. lets start...

Configure SFTP server to restrict a user to access SFTP file server

Lets assume you have an user account on your SFTP server named admin. and you don't want to allow admin user to access SFTP file services. So you can disable the SFTP for admin user by editing the sshd_config file.

Append the below configuration for you admin account

Subsystem sftp internal-sftp

Match User admin
ForceCommand /usr/bin/false
DenyUsers admin

To restrict user admin you can use either ForceCommand directive OR DenyUsers directive.

Once you save the configuration and restart your sshd.service.

systemctl restart sshd

And try to access SFTP via admin user. You will not allowed to access SFTP anymore.

sftp admin@localhost

Configure the SFTP server for any regular user with limited shell access with no SFTP access

However above configuration also block user to access SSH login on SFTP server. This is due to security concern because if user is not permitted to access SFTP file server but allowed SSH login, he still can do anything on server if he/she has enough permissions. He can access the file/directories and even root files system on server.

But if you really need to permit your user to access SSH login due to some important tasks e.g monitoring server resources with top command. you can do that by configuring the sshd_config file. Below is the configuration to do that.

Subsystem sftp internal-sftp

Match User admin
ForceCommand /bin/top
DisableForwarding yes

The above configuration allow user admin to run top command on SFTP server remotely. But when you try to access the sftp it will give you an error. DisableForwarding allows you to enable/disable all forwarding.

If you need multiple tasks to execute on SFTP server then you can write a script and give absolute path to your script in ForceCommand. This is how you can configure the SFTP server for any regular user with limited shell access with no SFTP access

Other Scenarios

So we have learned how to configure SFTP File Server under different scenarios. But there are many other scenarios as well. Some are briefly explained below.

1) Access SFTP File server from specific machine IP address. And block access from any other machine IP. Just append below configuration in /etc/ssh/sshd_config file.

Subsystem sftp internal-sftp

Match Group group-name, Address xx.xx.xx.xx
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
ChrootDirectory /directory/path/

Match Group group-name, Address *,!xx.xx.xx.xx
DenyGroups group-name

Note: Address option should have same ip address(xx.xx.xx.xx) in both Match directives.

2) If you want to change the files permission which are newly created/transferred to SFTP Server then you can use the umask option to achieve this. Just edit below line in your /etc/ssh/sshd_config file.

Subsystem sftp internal-sftp -u 0022

Where -u option is stand for umask and 0022 means file owner will have full permissions and group and other have only read execute permissions.

SFTP Commands

Read How To Run SFTP Commands To Transfer Files

These are some basic methods to configure our SFTP server. You can learn more about SFTP and sshd_config file from official documentation page.

Hope this guide helped you to start configuring your own SFTP server


ssh_config(5) , OpenSSH WikiBooks , sftp-server(8) , digitalocean , redhat , serverfault

Post a Comment