A missing blog post image


Using SFTP from SSH daemon is, in my opinion, not really well-documented and thrown errors are not always very explicit.
Add some security in the mix and nothing works as expected.

This is a short guide (acting a bit as a memo I admit) for SSH + SFTP + Chroot + Public key authentication :wink:

The procedure

On the “SFTP” server

Firstly we will create a new unprivileged user, without any password :

adduser archiver \

	-s /bin/bash \

	--home /home/archiver \


Now that is done, we may start our reception folder creation (still as root) :

mkdir -p /home/archiver/chroot/folder

As clients will put their files into folder/, the user they will be using must have permissions on it :

chown archiver:archiver /home/archiver/chroot/folder

:warning: This is important, each one of the path elements guiding to the chroot destination folder MUST HAVE 0755 UNIX permissions :warning:

You can enforce this statement with the following (commented lines should be already OK, but who knows ?) :

#chmod 0755 /

#chmod 0755 /home

#chmod 0755 /home/archiver

chmod 0755 /home/archiver/chroot

If you don’t, ssh won’t be able to chroot anywhere and your operations will crash with misguiding error in SSH logs.

Now we may tweak SSH configuration (/etc/ssh/sshd_config) :

# ...

Match User archiver
	X11Forwarding no
	AllowTCPForwarding no
	ChrootDirectory /home/archiver/chroot/
	ForceCommand internal-sftp -P read,remove -d /home/archiver/chroot/folder

The -P parameter allows us to restrain the operations that clients will be able to perform (black-list).
With read,remove set, clients won’t be able to fetch nor remove any files already present (useful for a write-only backup folder).
Run /usr/lib/openssh/sftp-server -Q requests to check which protocol requests you may provide.
I’ve tried to use the -p that is on the contrary a protocol requests white-list, but couldn’t figure out why it didn’t work with the thrown errors…

Please note that those protocol requests HAVE NOTHING TO DO with the (S)FTP commands that could be sent (put, get, cd, etc.).

The -d parameter will set clients directly into folder/.
Very useful for interactive FTP operations, ‘cause you won’t have to cd into the directory.

Finally, we restart the sshd daemon :

systemctl restart ssh.service

On the “SFTP” clients

We will begin here by generating a new ED25519 keys pair :

ssh-keygen -t ed25519
cat .ssh/id_ed25519.pub
# Copy here the displayed public key

Before continuing, you’ll have to paste the public key within /home/archiver/.ssh/authorized_keys file on your SFTP server.

Now, you should be allowed to perform your first SFTP operation (:tada:) :

sftp -q archiver@YOUR.SFTP.SERVER.IP:/folder/ <<< $'put your_file_to_be_transfered.tar.gz'

The command issued in the snippet above IS AN EXAMPLE. Feel free to adapt it your way.