Configuring an SFTP server with OpenSSH

                March 21, 2024

            Configuring an SFTP server with OpenSSH

            ┌ Open a terminal and switch to root
su -
┌ Create the group for users authorized to connect via SFTP
groupadd sftpex
┌ Create the group that will allow disabling a user's account
groupadd nosftp
You understand the purpose: if you want to disable a user from connecting to their SFTP account, you'll just have to add this user to the nosftp group
And because the instruction will be placed before sftpex in /etc/ssh/sshd_config, it will work.

To disable an account:
usermod -G nosftp myuser

To enable the user again, just remove the user from the nosftp group.
(edit /etc/group and delete myuser from the nosftp line)

┌ Create the root for the SFTP server
mkdir /SFTP
┌ Create an SFTP user
useradd -G sftpex -s /bin/false -m -d /SFTP/myuser myuser
passwd myuser
┌ Configure permisssions
chown root:sftpex /SFTP/myuser 
┌ Create a folder for myuser 
mkdir /SFTP/myuser/DATA 
chown myuser:sftpex /SFTP/myuser/DATA 
chmod 700 /SFTP/myuser/DATA

┌ Configure /etc/ssh/sshd_config

Open /etc/ssh/sshd_config, scroll down, find the Subsystem section and match it with what is writtent here 
# no default banner path
Banner none

# override default of no subsystems
Subsystem   sftp   internal-sftp

Match Group nosftp    
   ForceCommand /usr/bin/false 

Match Group sftpex    
   ChrootDirectory /SFTP/%u   
   ForceCommand internal-sftp    
   AllowTcpForwarding no    
   X11Forwarding no

┌ Restart SSH
svcadm restart svc:/network/ssh:default

Don't miss what's next. Subscribe to Illumadmin: