Ubuntu - install and configure OpenSSH and sftp

Why

SSH allows the server administrator to remote access the server and manage the server. If you are using a cloud server, SSH service should have already been installed and you may skip this section.

Here's how you install it

• To check the SSH status, run the following command,

  sudo systemctl status ssh
  

• To install SSH, run the following command,

  sudo apt install ssh
  

• To access to the remote server,

  • With Windows OS, install PuTTy - key in your server IP address and press Enter. Key in your Ubuntu login ID & password.

    To download the PuTTy program, visit the following page,

    https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

    • 03.Oct.2022: by installing PuTTy program, you will get the pscp.exe (for transferring file using SCP utility) and psftp.exe (for transferring file using SFTP protocol).

      For example, you want to copy a file from your Windows computer to Linux server,

      cd "C:\Program Files\PuTTY"
      .\pscp.exe -pw 123456 -P 22  "D:\temp\my-file.txt" myftpuserid@192.168.101.11:/home/myftpuserid
      

      Where:

      • -pw the user password.
      • -P is the SSH port.
      • myftpuserid is the user account for uploading the file.

      Make sure that the 'myftpuserid' has the permission to access the shell. To verify the user permission, run the following command,

      sudo cat /etc/passwd | grep myftpuserid
      

      Notes: in case you want to write a program to upload the file (which gives you more control), you may want to research more on the node-ssh or ssh2 packages for Node.js.

  • With Mac OS, run Terminal and execute ssh user@myhostname - then, key in your password.

• To change the SSH port,

  sudo nano /etc/ssh/sshd_config
  

  Then, set the following

  Port 10001
  

  Notes: don't forget to open the port in the firewall (through ufw command).

• To disable/enable the login with password

  sudo nano /etc/ssh/sshd_config
  

  Then, set 'yes' to enable and 'no' to disable.

  PasswordAuthentication yes
  

  • For best security, it is advisable to use key authentication instead of password. Please refers to: Hardening your server on how to setup the necessary.

Access the server with sftp

• The following URL (step 1 to 3) shows you how to restrict an user from using SFTP (SSH will be disabled). In this case, the user may run FileZilla and upload/download files using SFTP protocol.

  http://www.howtoforge.com/restricting-users-to-sftp-plus-setting-up-chrooted-ssh-sftp-debian-squeeze

• To configure the SFTP access (without SSH access),

  cd /etc/ssh
  sudo nano sshd_config
  

  Replaces the Subsystem with the following value,

  Subsystem internal-sftp
  

  Add the following lines to the bottom of the file where myftpuserid is the OS user ID and /home/myftpuserid is the user directory. Repeat the whole section for every user

  Match User myftpuserid
      ChrootDirectory /home/myftpuserid
      AllowTCPForwarding no
      X11Forwarding no
      ForceCommand internal-sftp
  

  Make sure that /home/myftpuserid is owned by root, update the access rights and then create a doc directory which is owned by myftpuserid. Finally, restart the service.

  sudo chmod 700 /home/myftpuserid
  sudo chown root:root /home/myftpuserid
  sudo mkdir /home/myftpuserid/doc
  sudo chown myftpuserid:myftpuserid /home/myftpuserid/doc
  sudo service ssh restart
  

• To restrict the user from access SFTP only (do this after you have added the user),

  sudo nano /etc/passwd
  

  Then, change the shell for the session:

  /bin/sh
  

  To

  /usr/lib/openssh/sftp-server
  

Related posts

• For how to open the port for SSH, please refers to: Configure firewall
• For how to secure your server, please refers to: Hardening your server

Back to #UBUNTU blog

Back to #blog listing