scm-setup/sftp-server.md

# sftp configurstion

* [Reference](https://www.thegeekstuff.com/2012/03/chroot-sftp-setup/)

## Steps

1. Create a New Group
    ```sh
    $ groupadd sftpusers
    ```

2. Create Users
   ```sh
   # create guestuser
   $ useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser

   # change guestuser password
   $ passwd guestuser

   # verify creation
   $ grep guestuser /etc/passwd

   # modify an existing user. eg john
   $ usermod -g sftpusers -d /incoming -s /sbin/nologin john
   ```

3. Setup `sshd_config`
```sh
$ nano /etc/ssh/sshd_config
```

* Comment out `Subsystem sftp /usr/libexec/openssh/sftp-server`. Add the following

```txt
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

Match Group sftpusers
  ChrootDirectory /sftp/%u
  ForceCommand internal-sftp

```

4. Create sftp home dirctory
```sh
$ mkdir /sftp
$ mkdir /sftp/guestuser
$ mkdir /sftp/guestuser/incoming

# set folder ownership
$ chown guestuser:sftpusers /sftp/guestuser/incoming

# set folder group
$ chgrp -R sftpusers /sftp/general
# Give write permission to the group
$ chmod -R g+w /sftp/general

#setup common folder for a group
$ groupadd sftp
$ mkdir /home/sftp
$ chown nobody:sftp /home/sftp/common
$ chmod 770 /home/sftp/common
$ useradd -d /home/sftp/common -g sftp sam
$ useradd -d /home/sftp/common -g sftp tom

$ chmod g+s /home/sftp/common

# verify ownership
$ ls -ld /sftp/guestuser/incoming
drwxr-xr-x 2 guestuser sftpusers 4096 Dec 28 23:49 /sftp/guestuser/incoming

$ ls -ld /sftp/guestuser
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp/guestuser

$ ls -ld /sftp
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp

```

5. Restart sshd
```sh
$ service sshd restart
```

6 Test setup
```sh
# user should only able to access the incoming folder as root level
$ sftp guestuser@192.168.0.222
```
add sftp server setup 2 years ago			`# sftp configurstion`

			`* [Reference](https://www.thegeekstuff.com/2012/03/chroot-sftp-setup/)`

			`## Steps`

			`1. Create a New Group`
			```sh
			`$ groupadd sftpusers`
			```

			`2. Create Users`
			```sh
			`# create guestuser`
			`$ useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser`

			`# change guestuser password`
			`$ passwd guestuser`

			`# verify creation`
			`$ grep guestuser /etc/passwd`

			`# modify an existing user. eg john`
			`$ usermod -g sftpusers -d /incoming -s /sbin/nologin john`
			```

			3. Setup `sshd_config`
			```sh
			`$ nano /etc/ssh/sshd_config`
			```

			* Comment out `Subsystem sftp /usr/libexec/openssh/sftp-server`. Add the following

			```txt
			`#Subsystem sftp /usr/libexec/openssh/sftp-server`
			`Subsystem sftp internal-sftp`

			`Match Group sftpusers`
			`ChrootDirectory /sftp/%u`
			`ForceCommand internal-sftp`

			```

			`4. Create sftp home dirctory`
			```sh
			`$ mkdir /sftp`
			`$ mkdir /sftp/guestuser`
			`$ mkdir /sftp/guestuser/incoming`

			`# set folder ownership`
			`$ chown guestuser:sftpusers /sftp/guestuser/incoming`

update sftp setup 2 years ago			`# set folder group`
			`$ chgrp -R sftpusers /sftp/general`
			`# Give write permission to the group`
			`$ chmod -R g+w /sftp/general`

			`#setup common folder for a group`
			`$ groupadd sftp`
			`$ mkdir /home/sftp`
			`$ chown nobody:sftp /home/sftp/common`
			`$ chmod 770 /home/sftp/common`
			`$ useradd -d /home/sftp/common -g sftp sam`
			`$ useradd -d /home/sftp/common -g sftp tom`

			`$ chmod g+s /home/sftp/common`

add sftp server setup 2 years ago			`# verify ownership`
			`$ ls -ld /sftp/guestuser/incoming`
			`drwxr-xr-x 2 guestuser sftpusers 4096 Dec 28 23:49 /sftp/guestuser/incoming`

			`$ ls -ld /sftp/guestuser`
			`drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp/guestuser`

			`$ ls -ld /sftp`
			`drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp`

			```

			`5. Restart sshd`
			```sh
			`$ service sshd restart`
			```

			`6 Test setup`
			```sh
			`# user should only able to access the incoming folder as root level`
			`$ sftp guestuser@192.168.0.222`
			```