How to Modify Debian SFTP Settings
SFTP (SSH File Transfer Protocol) is a secure way to transfer files between a client and a server. On Debian, SFTP is managed via the OpenSSH server, so modifying its settings involves editing the SSH configuration file and adjusting user permissions. Below are the key steps to modify SFTP settings on Debian:
Before configuring SFTP, ensure the OpenSSH server is installed. Run the following commands to update your package list and install the server:
sudo apt update sudo apt install openssh-server Before making changes, back up the original sshd_config file to avoid losing default settings:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak Open the sshd_config file in a text editor (e.g., nano) to modify SFTP settings:
sudo nano /etc/ssh/sshd_config By default, Debian uses the internal SFTP server. To enable it, locate the Subsystem sftp line and ensure it is uncommented (no # at the start). You can use either the internal server or an external binary (e.g., /usr/lib/openssh/sftp-server). For most cases, the internal server is sufficient:
# Use the internal SFTP server (recommended) Subsystem sftp internal-sftp # Alternatively, use an external binary (uncomment if needed) # Subsystem sftp /usr/lib/openssh/sftp-server To limit specific users or groups to SFTP-only access (preventing shell login), add a Match block at the end of the file. For example, to restrict the sftpusers group:
Match Group sftpusers ChrootDirectory %h # Lock users to their home directory ForceCommand internal-sftp # Force SFTP usage (no shell access) AllowTcpForwarding no # Disable TCP forwarding X11Forwarding no # Disable X11 forwarding This ensures users in the sftpusers group can only use SFTP and cannot access the server’s shell.
To manage SFTP users efficiently, create a dedicated group (e.g., sftpusers) and add users to it:
# Create the sftpusers group sudo groupadd sftpusers # Add a user to the group (replace 'username' with the actual username) sudo usermod -aG sftpusers username # Set a password for the user (if not already set) sudo passwd username For chroot to work correctly, the user’s home directory must be owned by root with 755 permissions. Additionally, create a subdirectory (e.g., upload) where the user can upload files (owned by the user):
# Set home directory ownership and permissions sudo chown root:root /home/username sudo chmod 755 /home/username # Create an upload directory and set ownership to the user sudo mkdir /home/username/upload sudo chown username:sftpusers /home/username/upload After saving changes to sshd_config, restart the SSH service to apply the new settings:
sudo systemctl restart sshd Test the configuration by connecting to the server using an SFTP client (e.g., the command-line sftp tool):
sftp username@your_server_ip If configured correctly, you should see the SFTP prompt and be restricted to the user’s home directory (or the upload subdirectory).
/var/log/auth.log) for unauthorized access attempts.By following these steps, you can modify Debian’s SFTP settings to meet your security and functionality requirements.
