SFTP, or Secure File Transfer Protocol, uses secure shell encryption to provide security to send and receive files over the internet or a network. SFTP uses the same port as SSH for file transfers: 22. Since SFTP is packet-based instead of text-based, it’s more secure and faster than most other file transfer protocols and uses fewer CPU resources. SFTP allows secure file transfers between different filesystems like Windows, macOS, Unix, etc.
Note: We’re using Ubuntu LTS 22.04, codenamed Jammy Jellyfish, an Ubuntu-based distro derived from Debian, for this guide.
Also, note that while we’re using the sftp command and the Linux file manager in this guide, many Linux administrators and users prefer using third-party FTP/SFTP clients such as FileZilla to send and receive files via SFTP, citing the ease of use of these FOSS clients.
Install OpenSSH
On many Linux distros, OpenSSH is installed by default.OpenSSH is the de facto standard open-source implementation of the SSH protocol used by most operating systems, including most Linux distros and Microsoft Windows.
To check if OpenSSH is installed on your Debian- or Ubuntu-based distro, enter the following from the terminal:
# dpkg -l grep ssh
On RHEL- and CentOS-based distros:
# rpm -qa openssh
On Arch-based distros:
# pacman -Qi openssh
On OpenSUSE-based distros:
# zypper search -i openssh
If no OpenSSH packages (openssh*) are listed, OpenSSH needs to be installed. OpenSSH can be installed with a single command-line entry.
To install OpenSSH on Debian- and Ubuntu-based distros:
# apt install openssh-server openssh-client
On RHEL- and CentOS-based distros:
# yum install openssh
On Arch-based distros:
# pacman -S openssh
On OpenSUSE-based distros:
# zypper install openssh-server
Configure OpenSSH
Now that the OpenSSH server, client, and SFTP server, along with dependent packages, are installed (these dependencies, libcor0.8, lifgido2-1, ssh-import-id, and openssh-sftp-server are automatically included when specifying openssh-server in the command line), we need to configure OpenSSH. Configuration of OpenSSH on a Linux distro consists of four separate steps:
- Create SFTP Group and User(s)
- Create SFTP Default Directory and Set Permissions
- Configure the SFTP Server Configuration File
- Restart OpenSSH
Note: The steps below need only be run on the distro serving as the SFTP server, not on client machines connecting to the SFTP server.
Create the SFTP Group and User(s)
In this example, the SFTP user id being created is sftp-user. The SFTP group is sftp-group.
- Launch the terminal.
- Create the SFTP group, sftp-group.
# addgroup sftp-group
- Create the SFTP user. sftp-user, and add them to the newly-created SFTP group, sftp-group.
# sudo useradd -G sftp-group -d /sftp/sftp-user -s /sbin/nologin sftp-user
Explanation of operators used:
-G sftp-group: add the user to the group sftp-group.
-d /sftp/sftp-user: specify the home directory of the user, sftp-user.
-s /sbin/nolgin: set the user, stfp-user, default shell to /sbin/nologin/. This means sftp-user will not be able to log in via SSH, only via SFTP. - Set the password for the user, sftp-user, with the passwd command.
# passwd sftp-user
Also, in this example, /sftp is the default root directory for SFTP users, and /sftp/<username> the home directory for each SFTP user (in this instance, sftp-user). When SFTP users login via SFTP, their default directory will be /sftp/<username>.
Create the SFTP Default Directory and Set Permissions
- Create the /sftp/sftp-users/uploads directory.
# mkdir -p /sftp/sftp-users/uploads
Note that the -p option creates the parent directories if they don’t already exist. So the /sftp and /sftp/sftp-users/ directories are created along with /sftp/sftp-sftp-user/uploads.
- Set the owner of the /sftp/sftp-users directory as root and give access to members of the group, sftp-group. Since /sftp is a root directory, root is the owner by default.
# chown -R root.sftp-group /sftp/sftp-user
- Set the owner of the /sftp/sftp-users directory as sftp-user and give access to members of the group, sftp-group.
# chown -R sftp-user.sftp-group /sftp/sftp-user/uploads
- Give read and execute permissions to members of the group, sftp-group.
# chmod g+rx /sftp/sftp-user
- Next, let’s verify that the /sftp subdirectory structure was created correctly and that ownership/permissions were correctly set.
# ls -Ral /sftp
With the permissions set above SFTP users (sftp-user) can read and copy from their SFTP home directory, /sftp/sftp-user, but cannot copy or write files to the directory. The only directory that the SFTP user can write files to is the uploads directory, /sftp/sftp-user/uploads.
Configure the SFTP Server Configuration File
Next, we need to configure the SFTP server configuration file, /etc/ssh/sshd_config.
- To edit /etc/ssh/ssd_config, we must open it with a command-line text editor. In this case, that editor is Vim.
# vi /etc/ssh/sshd_config
- Add the following entries at the end of the file (under the Subsystem sftp /usr/lib/openssh/sftp-server) line.
Match group sftp-group ChrootDirectory /sftp/%u X11Forwarding no AllowTcpForwarding no PermitTTY no ForceCommand internal-sftp
- Save the /etc/ssh/sshd_config file.
Restart OpenSSH
Now that the necessary entries are in /etc/ssh/sshd_config, restart the OpenSSH server, (sshd daemon) for the changes to take effect.
# systemctl restart sshd
Note that even if the OpenSSH server is not running, the restart option will still start it.
Now, check that the OpenSSH server is running.
# systemctl status sshd
Real-Life Scenario – Send and Receive Files via SFTP using the GUI
In this scenario, the file, blue.txt, will be downloaded from the SFTP server to the client machine via drag-n-drop. Transferring files using SFTP via the GUI is much the same as copying files locally.
- Launch the distro’s file manager (in this case, Nautilus).
- Navigate to Other Locations.
- Enter the SFTP server’s hostname or IP address in the Connect to Server box at the bottom of the file manager. In this instance, sftp://192.168.1.80. Note the sftp:// prefix. This is mandatory.
- Click Connect.
- When the authentication window appears, enter the user id, sftp-user, and password in the appropriate boxes. Click Connect.
- When the SFTP server directory opens, the desired file, blue.txt, is in the directory.
- Launch another file manager window and navigate where the file, blue.txt, is to be copied (Home / techobservatory downloads).
- Select the file, blue.txt, in the SFTP server directory and drag-n-drop it into the desired directory.
- The file, blue.txt, was successfully downloaded to the desired directory, Home / techobservatory downloads, on the client machine.
Real-Life Scenario – Send and Receive Files via SFTP using the Command Line
In this scenario, the file, pink.txt, will be sent from the client machine to the SFTP server via the command line.
- Launch the terminal.
- Enter sftp <sftp user>@<server>. In this case, [email protected]. Note that the hostname can be used as well as the IP address.
# sftp [email protected]
- At the SFTP prompt, change to the uploads directory.
sftp> cd uploads
- Send the file, pink.txt, to the SFTP server.
sftp> put pink.txt
The file’s transfer progress is displayed on the screen.
- Verify that the file, pink.txt, is in the directory.
sftp> dir
- Exit SFTP.
sftp> exit
- Close the terminal.
In this scenario, the file, brown.txt, will be copied from the SFTP server to the client machine via the command line.
- Launch the terminal.
- Enter sftp <sftp user>@<server>. In this case, [email protected]. Note that the hostname can be used as well as the IP address).
# sftp [email protected]
- At the SFTP prompt, make sure the file to be copied, brown.txt, from the SFTP server to the client machine is present on the SFTP server.
sftp> dir
- Copy the file, brown.txt, to the client machine.
sftp> get brown.txt
- After the file, brown.txt is successfully retrieved, the SFTP prompt will reappear.
- Exit SFTP.
sftp> exit
- Close the terminal.
Commands Used in This Article
Linux Commands Used
- ls – list directory contents.
- apt – Debian- and Ubuntu-based command-line interface for the package management system.
- rpm – (Remote Package Manager) package manager to install applications and packages on RHEL- and CentOS-based distros.
- pacman – package manager to install applications on Arch-based systems.
- useradd – add a user.
- addgroup – add a group.
- passwd – set or change a user’s password.
- dpkg – package manager for Debian- and Ubuntu-based distros.
- mkdir – make a directory.
- chown – change ownership of a file or directory.
- chmod – change file mode bits.
- sftp – launch the OpenSSH client.
- systemctl – control the systemd system and service manager.
- vi – launch the Vim text editor.
SFTP Commands Used
- dir – list directory contents.
- cd – change directory.
- exit – exit SFTP. bye and quit can also be used.
- put – copy a file to the SFTP server.
- get – retrieve a file from the SFTP server.