How to setup sftp on ubuntu 18.04 using vsftpd

Introduction to the SFTP

SFTP stands for SSH File Transfer Protocol. As its name suggests, it’s a secure way to transfer files between machines using an encrypted SSH connection. Despite the name, it’s a completely different protocol than FTP (File Transfer Protocol), though it’s widely supported by modern FTP clients.

In this article i’ll tell you how to use vsftpd on amazon aws ec2 instance running ubuntu 18.04. You can refer this also for ubuntu 20.04.

Installing required packages

Step 1：Install OpenSSH-server & SSH & vsftpd

sudo apt install openssh-server

sudo apt install ssh

sudo apt install vsftpd

Step 2: Add new user

Here we will create a new user with username as “sftpuser” you can use any name of your choice. Don’t forget to replace the user name “sftpuser” with your choice of user name.

sudo adduser sftpuser

It will prompt for the password, if not run below command to set password.

sudo passwd sftpuser 

Step 3: Create ssh directory for new user.

sudo mkdir /home/sftpuser/.ssh

#Copy .ssh keys from /home/ubuntu/.ssh/authorized_keys to /home/sftpuser/.ssh/authorized_keys

sudo cp /home/ubuntu/.ssh/authorized_keys /home/sftpuser/.ssh/authorized_keys 

Step 4: Execute below commands to set right permissions for sftp user

sudo chmod 700 /home/sftpuser/.ssh/

sudo chmod 600 /home/sftpuser/.ssh/authorized_keys

sudo chown -R sftpuser:sftpuser /home/sftpuser/.ssh/

Step 5: Enable vsftpd on system start and make some changes to vsftpd config.

systemctl enable vsftpd

sudo nano /etc/vsftpd.conf

#add below lines and save the file.

pasv_enable=Yes
pasv_min_port=40000
pasv_max_port=40100

Now restart vsftpd service

sudo systemctl vsftpd restart

#or

sudo service vsftpd restart

Step 7: Create a dedicated group for ftp only

Here we will create a new group with group name as “sftpgroup” you can use any name of your choice. Don’t forget to replace the group name “sftpgroup” with your choice of group name.

sudo groupadd sftpgroup

Add your newly created user to this group:

sudo adduser sftpuser sftpgroup

Step 8: sshd_config Settings

In this step, we’ll modify the SSH server configuration to disallow terminal access for sftp_user but allow file transfer access.

Open the SSH server configuration file by using the below command.

sudo nano /etc/ssh/sshd_config

Scroll to the very bottom of the file and append the following configuration snippet.

Match group sftpgroup
PasswordAuthentication yes
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

1. Match group tells the SSH server to apply the following commands only to the group specified.
2. ForceCommand internal-sftp forces the SSH server to run the SFTP server upon login, disallowing shell access.
3. PasswordAuthentication allows password authentication for this user.
4. ChrootDirectory ensures that the user will not be allowed access to anything beyond the /home/sftpuser directory.
5. AllowTcpForwarding disables tunneling.
6. X11Forwarding disables X11 forwarding for this user.

In the Match group [sftpgroup], you can also use the user by using the Match user command.

Apply the necessary permissions and restart the ssh service for the changes to take effect

sudo chown root:root /home/sftpuser

sudo chown -R sftpuser:sftpuser /home/sftpuser/.ssh

sudo service ssh restart

Now you can use sftp with your sftpuser. You can use public ip of your server as host name. You can use command line or any sftp tool like winscp to connect if you are using windows.

sftp sftpuser@ip-address