Configuring SFTP on Red Hat Linux 8

Step-by-step guide to set up SFTP with username and password

Key Highlights

Secure Installation: Ensuring OpenSSH is installed, enabling SSHD service, and adjusting firewall settings.
User & Group Management: Creating dedicated SFTP users, setting proper permissions, and using chroot for enhanced security.
Configuration Adjustments: Modifying the SSH daemon configuration file (/etc/ssh/sshd_config) to enforce SFTP-only access and password authentication.

Overview

Configuring an SFTP server on Red Hat Linux 8 to accept connections via a username and password involves a series of well-defined steps. The process begins with ensuring that the OpenSSH server is installed and the SSH daemon (sshd) is enabled, followed by creating and configuring SFTP users. Afterwards, the SSH configuration is updated to restrict the SFTP users to their designated directory, leveraging directives such as ChrootDirectory and ForceCommand to enforce access control.

Detailed Configuration Steps

Step 1: Install and Enable OpenSSH Server

Installation and Startup

SFTP operates on top of SSH; hence the OpenSSH server package is crucial. Begin by checking if openssh-server is installed. If not, you can install it using the package manager:

# Install OpenSSH server if not already installed
sudo yum install openssh-server

# Ensure the SSH daemon is started and enabled to run on boot
sudo systemctl start sshd
sudo systemctl enable sshd

These commands install and start the SSH server, ensuring that the SFTP functionality (which is part of SSH) is available.

Step 2: Create an SFTP User and Set User Password

User Creation

To maintain security and to better control SFTP access, it is good practice to create a dedicated user account just for SFTP purposes. You can create the user with:

# Create a specific SFTP user and assign home directory
sudo adduser sftpuser

# Set password for the newly created user
sudo passwd sftpuser

Replace sftpuser with your intended username. The password provided will be used for authentication during SFTP sessions.

Group Creation (Optional but Recommended)

For better control over SFTP users, creating a dedicated group, such as sftp_users, is recommended. Add users to this group so that specific restrictions can be applied at the group level.

# Create a group for SFTP access
sudo groupadd sftp_users

# Add the SFTP user to the group
sudo usermod -aG sftp_users sftpuser

Step 3: Create Directory Structure and Set Permissions

Defining the SFTP Directory

It is crucial to specify a secure directory for the user that will serve as the chroot jail. This restricts the user to a limited section of the file system, preventing them from navigating to other system parts. Create the primary directory and ensure proper ownership and permissions:

# Create a directory for chroot
sudo mkdir -p /data/sftpuser/upload

# Ensure the parent directory is owned by root
sudo chown -R root:sftp_users /data/sftpuser

# Change the ownership of the upload subdirectory to the SFTP user for file transfers
sudo chown -R sftpuser:sftp_users /data/sftpuser/upload

# Modify permission to ensure directory security
sudo chmod 755 /data/sftpuser

The /data/sftpuser directory must be owned by root and should not be writable by the SFTP user directly. Only the designated upload folder should have permissions for the user to write files.

Step 4: Configure SSHD for SFTP Access

Editing the SSH Daemon Configuration File

Modify the SSH service configuration to restrict SFTP users only to SFTP functionality and prevent them from gaining shell access. Open the SSH configuration file:

# Edit the SSH daemon configuration file as root
sudo nano /etc/ssh/sshd_config

Within the file, you will need to adjust several parameters:

PasswordAuthentication: Ensure that password-based authentication is enabled if you want to allow login with username and password.
ChrootDirectory: This directive confines the user to a specific part of the system. Set it to the main directory created earlier. The syntax may vary, for example:
ChrootDirectory /data/%u where %u dynamically represents the username.
ForceCommand: Using this directive forces the SSH server to launch the internal SFTP subsystem, ensuring that users do not get unintended shell access.

At the end of sshd_config, add the following block:


Match Group sftp_users
   ChrootDirectory /data/%u
   ForceCommand internal-sftp
   PasswordAuthentication yes
   AllowTcpForwarding no

Make sure that the directory specified in ChrootDirectory complies with permission requirements (owned by root and not writable by the SFTP user). Any deviation in these permissions can result in SSH refusing to authenticate the user.

Explanation of Parameters

Parameter	Description
PasswordAuthentication yes	Enables authentication using a username and password.
ChrootDirectory /data/%u	Restricts the user's session to the directory /data/username. The %u is dynamically replaced with the actual username.
ForceCommand internal-sftp	Ensures that upon login, the SFTP subsystem is launched, thereby preventing shell access.
AllowTcpForwarding no	Disables TCP forwarding to add an extra layer of security.

Step 5: Restart the SSH Daemon

Applying Configuration Changes

After updating the configuration file, the changes will only take effect once the SSH service is restarted. Use the following command:

# Restart the SSH service to apply changes
sudo systemctl restart sshd

It is advisable to monitor the SSH service status to ensure that it restarts without errors:

# Check SSH service status
sudo systemctl status sshd

Step 6: Configure the Firewall

Allowing SSH Connections

If your system uses firewalld, make sure to allow incoming connections to the SSH port (default port 22). You can do this by executing the following commands:

# Allowing SSH service through the firewall
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload

This ensures that remote users are able to connect to the SFTP service without being blocked by the system firewall.

Step 7: Testing the SFTP Connection

Verifying the Setup

To confirm that your SFTP configuration is correct, you should test the connection using an SFTP client. This can be done via command-line or using a graphical client like FileZilla. For a command-line test, execute the following command from another machine:

# Connect using SFTP
sftp sftpuser@your_server_ip

Replace your_server_ip with the actual IP address or hostname of your server. You will be prompted for the password set earlier for the SFTP user. In case of any connection issues, check the SSH logs in /var/log/secure or /var/log/auth.log (depending on your system configuration) for debugging assistance.

Security Considerations

Enhancing Security for SFTP

Using Public Key Authentication

Although this guide focuses on username and password authentication, it is important to note that password authentication can pose security risks if not managed carefully. To mitigate these risks, consider using public key authentication for more robust security.

Public key authentication involves generating a key pair and deploying the public key on the server for authentication. This method generally offers higher security, as it is resistant to brute-force password attacks.

Regular Updates and Maintenance

Keeping the SSH and system software up-to-date is also fundamental in securing your server. Regularly update your software packages to patch vulnerabilities and improve the overall security posture of your SFTP server.

Summary Table of Commands

Purpose	Command(s)
Install SSH Server	sudo yum install openssh-server sudo systemctl start sshd sudo systemctl enable sshd
Create SFTP User	sudo adduser sftpuser sudo passwd sftpuser
Create SFTP Group & Add User	sudo groupadd sftp_users sudo usermod -aG sftp_users sftpuser
Setup Directory Structure	sudo mkdir -p /data/sftpuser/upload sudo chown -R root:sftp_users /data/sftpuser sudo chown -R sftpuser:sftp_users /data/sftpuser/upload sudo chmod 755 /data/sftpuser
Edit SSHD Config	Add in /etc/ssh/sshd_config: `Match Group sftp_users ChrootDirectory /data/%u ForceCommand internal-sftp PasswordAuthentication yes AllowTcpForwarding no`
Restart SSH Service	sudo systemctl restart sshd
Configure Firewall	sudo firewall-cmd --permanent --add-service=ssh sudo firewall-cmd --reload
Test SFTP	sftp sftpuser@your_server_ip