How to Modify Debian SFTP Settings
SFTP (SSH File Transfer Protocol) is a secure way to transfer files between a client and a server. On Debian, SFTP is managed via the OpenSSH server, so modifying its settings involves editing the SSH configuration file and adjusting user permissions. Below are the key steps to modify SFTP settings on Debian:
Before configuring SFTP, ensure the OpenSSH server is installed. Run the following commands to update your package list and install the server:
sudo apt update
sudo apt install openssh-server
Before making changes, back up the original sshd_config file to avoid losing default settings:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
Open the sshd_config file in a text editor (e.g., nano) to modify SFTP settings:
sudo nano /etc/ssh/sshd_config
By default, Debian uses the internal SFTP server. To enable it, locate the Subsystem sftp line and ensure it is uncommented (no # at the start). You can use either the internal server or an external binary (e.g., /usr/lib/openssh/sftp-server). For most cases, the internal server is sufficient:
# Use the internal SFTP server (recommended)
Subsystem sftp internal-sftp
# Alternatively, use an external binary (uncomment if needed)
# Subsystem sftp /usr/lib/openssh/sftp-server
To limit specific users or groups to SFTP-only access (preventing shell login), add a Match block at the end of the file. For example, to restrict the sftpusers group:
Match Group sftpusers
ChrootDirectory %h # Lock users to their home directory
ForceCommand internal-sftp # Force SFTP usage (no shell access)
AllowTcpForwarding no # Disable TCP forwarding
X11Forwarding no # Disable X11 forwarding
This ensures users in the sftpusers group can only use SFTP and cannot access the server’s shell.
To manage SFTP users efficiently, create a dedicated group (e.g., sftpusers) and add users to it:
# Create the sftpusers group
sudo groupadd sftpusers
# Add a user to the group (replace 'username' with the actual username)
sudo usermod -aG sftpusers username
# Set a password for the user (if not already set)
sudo passwd username
For chroot to work correctly, the user’s home directory must be owned by root with 755 permissions. Additionally, create a subdirectory (e.g., upload) where the user can upload files (owned by the user):
# Set home directory ownership and permissions
sudo chown root:root /home/username
sudo chmod 755 /home/username
# Create an upload directory and set ownership to the user
sudo mkdir /home/username/upload
sudo chown username:sftpusers /home/username/upload
After saving changes to sshd_config, restart the SSH service to apply the new settings:
sudo systemctl restart sshd
Test the configuration by connecting to the server using an SFTP client (e.g., the command-line sftp tool):
sftp username@your_server_ip
If configured correctly, you should see the SFTP prompt and be restricted to the user’s home directory (or the upload subdirectory).
/var/log/auth.log) for unauthorized access attempts.By following these steps, you can modify Debian’s SFTP settings to meet your security and functionality requirements.