Ubuntu – How to setup a restricted SFTP server on Ubuntu

opensshserversftp

I would like to know how to set up root, sudo, sftp-only user accounts which won't be required public key authentication at log in. I would also like to know how to set up sftp-only users' home directories where they can't access upper level other directories.

Best Answer

The best resource to help you begin setting up an ssh service on a Host machine using Ubuntu is OpenSSH Server. This will allow you to use SSH File Transfer Protocol (also Secure File Transfer Protocol, or SFTP) to access, transfer, and manage files over SSH from a Client machine.

Overview of Solution

  • On Ubuntu you can setup an OpenSSH server on a Host machine and a user can then use ssh to connect from Client to Host's server using only a username and password. Note, however, that public key authentication is recommended,

"Make sure you have a strong password before installing an SSH server (you may want to disable passwords altogether)"

  • Administrative User Accounts created on Host will have sudo privileges, Standard User Accounts created on Host will not.

Install and configure your OpenSSH Server on Host

To install an OpenSSH server on Host:

sudo apt-get install openssh-server

Give your Host a Static IP address so you can reliably connect to it:

nm-connection-editor

To configure your OpenSSH server, "first, make a backup of your sshd_config file by copying it to your home directory, or by making a read-only copy in /etc/ssh by doing:"

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults
sudo chmod a-w /etc/ssh/sshd_config.factory-defaults

"Once you've backed up your sshd_config file, you can make changes with any text editor, for example:"

sudo -H gedit /etc/ssh/sshd_config

You must restart your ssh service on Host for these changes to take effect

sudo service ssh restart

Consider the Following Security Measures

  • Don't enable port-forwarding on your router: When outsider asks your router to connect outsider to Port 22, etc., your router fails to comply unless you have enabled port-forwarding
  • Disable root login: Comment out PermitRootLogin without-password; add PermitRootLogin no to Host's /etc/ssh/sshd_config
  • Choose non-standard SSH port: Comment out Port 22; add Port <new-port-number> to Host's /etc/ssh/sshd_config
  • Allow only local connections: Add ListenAddress 192.168.0.10
  • Allow certain users on certain ports: Add AllowUsers <username>@<IP_address_1> <username>@<IP_address_2> or AllowUsers <username>@111.222.333.* to Host's /etc/ssh/sshd_config
  • Allow only RSA key (passwordless) connections: Append the contents of ~/.ssh/id_rsa.pub from each Client as a new line of Host's ~/.ssh/authorized_keys. Then add PasswordAuthentication no to to Host's /etc/ssh/sshd_config
  • Slow attackers' cracking attempts: Use ufw (uncomplicated firewall) on Host to rate limit incoming connections to 10/minute: sudo apt-get install ufw && sudo ufw limit OpenSSH
  • For more ideas, see Keeping SSH Access Secure

If you feel you must, Enable PasswordAuthentication in your sshd_config file

Find the line with the phrase PasswordAuthentication and make it read:

PasswordAuthentication yes

Save your new sshd_config file and then restart Host's ssh service:

sudo service ssh restart

If you need access from anywhere over the internet, Setup Port Forwarding on your local router to direct traffic to your OpenSSH server

Note the port Host's ssh service listens to in the sshd_config file and setup your router to forward TCP/UDP traffic aimed at this port to the IP address of your OpenSSH server.

Connect to Host and login via command-line or terminal

  • To open an SFTP shell terminal as <username> on Host, open a Terminal on Client and enter the following command, replacing 123.123.1.23 with Host's IP address:

    sftp <username>@123.123.1.23

    • If you changed the port number Host's OpenSSH server listens to, do:

      sftp -P <port_number_in_Host's_sshd_config_file> <username>@123.123.1.23

  • To open an SSH shell terminal as <username> on Host, open a Terminal on Client and enter the following command, replacing 123.123.1.23 with Host's IP address:

    ssh <username>@123.123.1.23

    • If you changed the port number Host's OpenSSH server listens to, do:

      ssh -p <port_number_in_Host's_sshd_config_file> <username>@123.123.1.23

Connect to Host and login via GUI file manager (e.g., Nautilus) for more visual SFTP access to enable file transfers

  1. Open Nautilus on Client
  2. Select File > Connect to Server
  3. Type: SSH
  4. Server: Enter Host's IP address
  5. Port: port number specified in Host's sshd_config file
  6. User name: username
  7. Password: password

enter image description here

In 14.04:

  1. Open Nautilus on Client
  2. Connect to Server
  3. Type: `ssh @123.123.1.23:

Create Standard User Accounts on Host with limited file permissions outside their home folder

Proper file permissions in place on Host guarantee that each standard user (without sudo privileges) that you create on Host will own their /home/new_user directory but have limited permissions with the rest of the directory structure.

  • Limited permissions does not necessarily mean they are unable to view filenames and directory structure.

Hope that's helpful!

Related Question