The page describes, how to setup an SFTP server with OpenSSH on FreeBSD. SFTP can be used for sharing and exchanging files with clients and users. Updated 2024-07-20. Tested on FreeBSD 12.3 and 13.3.

What is an SFTP server?

If you will be sharing or exchanging files with your clients, such as a graphics designer, a wedding photographer or a video production company does, then you will probably have the following list of requirements for your file sharing service.

  • You should be able to share files with your clients with ease and in a secure way.
  • Your file sharing service should be based on a free, well known and widely compatible protocol.
  • Your file sharing service should meet your privacy policy and general data protection regulation.
  • Your clients should be able to access, download and upload files at any time of day or night.
  • Your clients should only have access to files, that is related to them.

A well proven solution, that meet these requirements, is an SFTP server, that is running on a dedicated server or virtual private server (VPS) in a data center of your choice. SFTP is an encrypted secure file transfer protocol in the well known SSH protocol. SFTP is a secure alternative to the old FTP file transfer protocol. FreeBSD comes with OpenSSH, which is an open source implementation of SSH.

Restrict SFTP users to home directory.

Clients, that will be using the SFTP server, will be using their system user account on the FreeBSD server. In order to restrict these users to their home directory, you can use the ChrootDirectory feature in OpenSSH. In the following example, users, that are in the sftp group, will be restricted to their home directory.

# pw groupadd sftp
# nano /etc/ssh/sshd_config
Subsystem sftp /usr/libexec/sftp-server
Match Group sftp
ChrootDirectory /home/%u/
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
# service sshd restart

Create user account on SFTP server.

In the following example, a new system user account will be created for a client or user. The username will be ann. The home directory will be /home/ann. The group will be sftp. The will be able to read and download from the home directory, but not delete or upload. The user will have an upload directory in which the user can upload files to.

# pw useradd -n ann -d /home/ann -g sftp -s /sbin/nologin
# mkdir -m 0750 /home/ann
# chown root:sftp /home/ann
# mkdir -m 0770 /home/ann/upload
# chown ann:sftp /home/ann/upload

A new system user account has now been created and will be registered in /etc/passwd. The user can not login, before a way of authentication is set.

$ sftp ann@foobar
ann@foobar: Permission denied (publickey,keyboard-interactive).

Put optional readme file with instructions.

Optionally, create a readme file with instructions on how to use the SFTP server. Tradionally, these can include nice ASCII graphics from generators and editors. The file can be read from the SFTP client.

# nano readme.txt

Copy the readme file to the user home directory.

# cp readme.txt /home/ann/
# chmod 0640 /home/ann/readme.txt

Set a password for the user.

If the user prefer to authenticate with a password, a password can be set and the user will be able to authenticate with the password. You can select a random password from my Password Generator.

# passwd ann

Set an authentication key for the user.

If the user prefers to authenticate with a public SSH key, the key can be inserted to the key ring of authorized keys and the user will be able to authenticte with the key. The user can be allowed to add and remove keys.

# mkdir -m 0750 /home/ann/.ssh
# touch /home/ann/.ssh/authorized_keys
# chown ann:sftp /home/ann/.ssh/authorized_keys
# chmod 0640 /home/ann/.ssh/authorized_keys
# cat ann.key >> /home/ann/.ssh/authorized_keys

You might also want to insert other keys, such as your own, if necessary.

# cat bob.key >> /home/ann/.ssh/authorized_keys

The user can now log into the SFTP server.

Use SFTP client to log into SFTP server.

The user can now log into the SFTP server. This can be done with the use of an SFTP client, such as FileZilla, or the built-in SFTP client of OpenSSH sftp for secure file transfer. FileZilla, which is free and open source software, can be installed from the system repository or downloaded and installed from the homepage FileZilla Project.

In the following example, FileZilla is installed and launched on a FreeBSD desktop computer. The user will need to enter the domain name of the server and the username. The user will also need to use either a password or key for authentication.

# pkg install filezilla
$ filezilla

In the following example, the built-in sftp client is used to connect to the SFTP server foobar.

$ sftp ann@foobar
sftp> ls
readme.txt upload
sftp> get readme.txt
Fetching /readme.txt to readme.txt
sftp> cd upload
sftp> put anndoc.zip
Uploading anndoc.zip to /upload/anndoc.zip
sftp> bye

The secure copy command scp of OpenSSH can not be used, because it depends on shell access to the SFTP server. The user does not have shell access.

$ scp anndoc.zip ann@foobar:
This service allows sftp connections only.
$ ssh ann@foobar
This service allows sftp connections only.
Connection to foobar closed.

Delete account on SFTP server.

If you no longer serve the client, then you should delete their user account and home directory according to your data retention policy. In the following example, the user account and the home directory, which contains files, that relates to your client.

# pw userdel ann
# rm -rf /home/ann

Read authentication log for SFTP server on FreeBSD.

OpenSSH logs authentication related events in /var/log/auth.log. In the event of an error, such as a failure in relation to login, you can read the log and find hints to the cause of the problem. You should also monitor the log for security related incidents.

# tail /var/log/auth.log
Jul 20 13:37:13 foobar sshd[13371]: Accepted publickey for ann from 133.71.337.137 port 13371 ssh2: RSA SHA256:nfMqBkY/JeDNIgnjOB3v/vi4brufmir3bAf+DhxWvfw

Test your new SFTP server.

I recommend, that you test your new SFTP server before letting your clients use it. You should test access, authorization, directory change and file transfer. You should also monitor the authentication log. Not doing so, or not correcting problems, that you might or might not be aware of, could turn into privacy and security related problems.

More about OpenSSH SFTP server on FreeBSD.

If you need randomly generated strong passwords, which you should be using, whereever you are required to use a password for an online service or other application, then I recommend, that you use my Password Generator.