Set up SFTP Server on Rocky Linux 8: Secure Data Transfer
This tutorial intends to teach you how to Set up SFTP Server on Rocky Linux 8. As you know, you can use the SFTP server to securely transfer your data information. This guide on the Orcacore website will show you how to Configure an SFTP User Account, a Transfer File for SFTP, and Login to the SFTP Server on Rocky Linux 8.
To complete this guide, you must log in to your server as a non-root user with sudo privileges. To do this, you can follow our guide on Initial Server Setup with Rocky Linux 8.
Now follow the steps below to complete your SFTP server setup.
Step 1 – Install SSH on Rocky Linux 8
You should have SSH installed on your server to set up the SFTP server. First, run the system update with the following command:
sudo dnf update -yThen, use the following command to install SSH:
sudo dnf install openssh-server -yManage SSH Service
When your installation is completed, use the commands below to start and enable the SSH service to start on boot:
# sudo systemctl start sshd
# sudo systemctl enable sshdVerify your SSH service is active and running on Rocky Linux 8:
sudo systemctl status sshd
Step 2 – Configure SFTP User Account on Rocky Linux 8
At this point, you need to create a group for the SFTP to grant some mutual permissions to a group of users.
First, create a group named “sftp” by using the command below: You can choose your desired name.
sudo groupadd sftpThen, create a user who will have the same privileges as the group. To do this, run the command below: You can choose your desired name.
sudo useradd orcaVerify that your user has been created by using the command below:
less /etc/passwd | grep orca**Output**
orca:x:1000:1001::/home/orca:/bin/bashThen, create a password for your user by using the following command:
sudo passwd orca**Output**
Changing password for user orca.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.Now you need to add your user to the SFTP group on Rocky Linux 8:
sudo usermod -a -G sftp orcaAt this point, verify the SFTP’s group details by using the command below:
grep sftp /etc/group**Output**
sftp:x:1000:orcaAs you can see from the output, the user orca was added successfully to the SFTP group.
Step 3 – Configure a Transfer File for SFTP on Rocky Linux 8
At this point, you need to have a directory that the users can access instead of accessing the entire machine.
To create the directory under /var/sftp/ run the command below:
sudo mkdir -p /var/sftp/DocumentSet the ownership of the above directory to the root user by using the following command:
sudo chown root:root /var/sftpAlso, set the correct permissions for it:
sudo chmod 755 /var/sftpAt this point, you need to allow access to the “Documents” directory to the SFTP user (orca):
sudo chown orca:orca /var/sftp/DocumentNow you need to edit the SSH configuration file. Open the file with your favorite text editor, here we use the vi editor:
sudo vi /etc/ssh/sshd_configFind the Subsystem sftp /usr/lib/openssh/sftp-server line and add the following content under it:
**Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Match User orca
ChrootDirectory /var/sftp
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp**When you are done, save and close the file.
Restart SSH, to apply the changes:
sudo systemctl restart sshdStep 4 – Login to SFTP Server on Rocky Linux 8
First, connect to the user SFTP User using the SSH service only for the testing purpose:
ssh orca@localhost**Output**
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'localhost' (ED25519) to the list of known hosts.
orca@localhost's password:
This service allows sftp connections only.
Connection to localhost closed.To test from the same system as the one you just configured SFTP on, connecting to the loopback address 127.0.0.1 will work just fine.
sftp orca@127.0.0.1**Output**
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts.
orca@127.0.0.1's password:
Connected to 127.0.0.1.
**sftp> **At this point, list down the directories of SFTP by using the command below:
**sftp> **ls
DocumentTo exit from the SFTP Server, just run the exit command.
**sftp> **exitStep 5 – Uninstall SFTP From Rocky Linux 8
At this point, if you want to remove the SFTP from your server, you can easily delete the SSH with all its files:
sudo dnf remove openssh-server -yThis command will remove SFTP and all of its data.
Conclusion
At this point, you have learned to Configure the SFTP User Account, a Transfer File for SFTP, and log in to the SFTP Server on Rocky Linux 8. Also, you can easily remove SFTP and all its data using a single command.
Hope you enjoy it. You may also like these articles:
How To Change SSH port on Rocky Linux
How To Generate SSH Key Pairs on Rocky Linux 8
Alternative Solutions for Setting Up SFTP on Rocky Linux 8
While the above method is effective, here are two alternative approaches to set up SFTP Server on Rocky Linux 8, offering different levels of customization and security. These alternatives also provide a secure method to set up SFTP Server on Rocky Linux 8.
1. Using systemd Path Units for Automated Chroot Directory Creation
This method leverages systemd’s path units to automatically create the user’s chroot directory if it doesn’t exist. This can be useful for automating user setup and ensuring a consistent environment.
Explanation:
Instead of manually creating the /var/sftp/Document directory and setting permissions, we can configure systemd to monitor for the existence of a user-specific directory (e.g., /var/sftp/%u). If the directory doesn’t exist when the user attempts to connect via SFTP, systemd will automatically create it with the correct ownership and permissions.
Steps:
-
Create a systemd path unit file: Create a file named
/etc/systemd/system/sftp-user-dir@.pathwith the following content:[Unit] Description=Monitor for SFTP user directory creation for %i [Path] PathExists=!/var/sftp/%i [Install] WantedBy=multi-user.targetReplace
/var/sftp/%iwith your desired path structure. The%iwill be replaced with the username. -
Create a systemd service unit file: Create a file named
/etc/systemd/system/sftp-user-dir@.servicewith the following content:[Unit] Description=Create SFTP user directory for %i After=network.target [Service] Type=oneshot User=root ExecStart=/usr/bin/mkdir -p /var/sftp/%i ExecStart=/usr/bin/chown %i:%i /var/sftp/%i ExecStart=/usr/bin/chmod 700 /var/sftp/%iThis service will be triggered when the path unit detects that the user’s directory is missing. It creates the directory, sets ownership to the user, and sets appropriate permissions.
-
Modify
sshd_config: As in the original method, edit/etc/ssh/sshd_configto chroot the user. TheChrootDirectorydirective will point to/var/sftp/%u.Match User orca ChrootDirectory /var/sftp/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp -
Enable and start the path unit:
sudo systemctl enable sftp-user-dir@orca.path sudo systemctl start sftp-user-dir@orca.pathReplace
orcawith the actual username.
Advantages:
- Automated user directory creation simplifies user management.
- Ensures consistent directory structure and permissions.
Disadvantages:
- Requires understanding of systemd units.
- Slightly more complex initial configuration.
2. Using a Dedicated SFTP Server (e.g., ProFTPD or vsftpd) with Chroot
Instead of relying on OpenSSH’s internal SFTP server, you can use a dedicated SFTP server like ProFTPD or vsftpd, which offer more granular control over configuration and security. This offers another viable solution to set up SFTP Server on Rocky Linux 8.
Explanation:
Dedicated SFTP servers often have built-in features for chrooting users, managing permissions, and logging activity. They can also offer more advanced features like virtual users and bandwidth limiting.
Steps (Example using ProFTPD):
-
Install ProFTPD:
sudo dnf install proftpd -y -
Configure ProFTPD for Chroot: Edit the ProFTPD configuration file (usually
/etc/proftpd.conf) and add or modify the following directives:<Global> Umask 022 </Global> <Directory /var/sftp> <Limit ALL> AllowAll </Limit> </Directory> <Anonymous ~ftp> User ftp Group ftp Umask 022 <Limit LOGIN> DenyAll </Limit> <Limit READ WRITE> DenyAll </Limit> </Anonymous> <VirtualHost *:2121> RequireValidHostnames off DefaultRoot /var/sftp <Directory *> <Limit ALL> AllowAll </Limit> </Directory> </VirtualHost>DefaultRoot /var/sftp: This directive ensures that all users are chrooted to the/var/sftpdirectory. You may need to create this directory.
-
Create User Directories: Create a directory for each user inside
/var/sftpand assign ownership:sudo mkdir /var/sftp/orca sudo chown orca:orca /var/sftp/orca sudo chmod 755 /var/sftp/orca -
Set User Passwords: ProFTPD will use the system’s user accounts. Ensure users have passwords set.
sudo passwd orca -
Firewall Configuration: Open port 2121 (or the port you configured in ProFTPD) in the firewall:
sudo firewall-cmd --permanent --add-port=2121/tcp sudo firewall-cmd --reload -
Restart ProFTPD:
sudo systemctl restart proftpd
Advantages:
- More granular control over SFTP server configuration.
- Enhanced security features.
- Potential for more advanced features like virtual users and bandwidth limiting.
Disadvantages:
- More complex setup compared to using OpenSSH’s internal SFTP server.
- Requires learning the configuration syntax of the chosen SFTP server.
These alternative solutions provide different approaches to setting up an SFTP server on Rocky Linux 8, allowing you to choose the method that best suits your needs and technical expertise. Each method provides a secure way to transfer files while ensuring the user is chrooted to a specific directory. These are valid options to set up SFTP Server on Rocky Linux 8.
