The page describes, how to setup an SFTP server with OpenSSH on FreeBSD. SFTP can be used for sharing and exchanging files with clients and users. Tested on FreeBSD 12.3.
What is an SFTP server?
If you will be sharing or exchanging files with your clients, such as a graphics designer, a wedding photographer or a video production company does, then you will probably have the following list of requirements for your file sharing service.
- You should be able to share files with your clients with ease and in a secure way.
- Your file sharing service should be based on a free, well known and widely compatible protocol.
- Your clients should be able to access, download and upload files at any time of day or night.
- Your clients should only have access to files, that is related to them.
A well proven solution, that meet these requirements, is an SFTP server, that is running on a dedicated server or virtual private server (VPS) in a data center of your choice. SFTP is an encrypted secure file transfer protocol in the well known SSH protocol. SFTP is a secure alternative to the old FTP file transfer protocol. FreeBSD comes with OpenSSH, which is an open source implementation of SSH.
Restrict SFTP users to home directory.
Clients, that will be using the SFTP server, will be using their system user account on the FreeBSD server. In order to restrict these users to their home directory, you can use the ChrootDirectory feature in OpenSSH. In the following example, users, that are in the sftp group, will be restricted to their home directory.
# pw groupadd sftp # nano /etc/ssh/sshd_config Subsystem sftp /usr/libexec/sftp-server Match Group sftp ChrootDirectory /home/%u/ X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp # service sshd restart
Create account on SFTP server.
In the following example, a new system user account will be created for a client, that will be given the username ann, password AbCd, home directory /home/ann and group sftp. You can select a random password from my Password Generator.
# echo "AbCd" | pw useradd -n ann -d /home/ann -g sftp -s /sbin/nologin -h 0 # mkdir -m 0750 /home/ann # mkdir -m 0770 /home/ann/sftp-server # chown -R root:sftp /home/ann
In the following example, a key ring for authorized keys is created in the home directory and public SSH keys are inserted into the key ring.
# cd /home/ann # mkdir -m 0750 .ssh # cd .ssh # touch authorized_keys # chmod 0640 authorized_keys # cat ~/ann.key >> authorized_keys
Use SFTP client to log into SFTP server.
You and your client can now log into the SFTP server. This can be done with the use of an SFTP client, such as FileZilla, or the built-in SFTP client of OpenSSH sftp for secure file transfer. FileZilla, which is free and open source software, can be installed from the system repository or downloaded and installed from the homepage FileZilla Project.
In the following example, FileZilla is installed and launched on a FreeBSD desktop computer.
# pkg install filezilla $ filezilla
In the following example, the built-in sftp is used to connect to the SFTP server foobar, login as ann, download the file imga.jpg and upload the file imgb.jpg to the SFTP server.
$ sftp ann@foobar sftp> ls sftp-server sftp> cd sftp-server sftp> get imga.jpg Fetching /sftp-server/imga.jpg to imga.jpg sftp> put imgb.jpg Uploading imgb.jpg to /sftp-server/imgb.jpg sftp> exit
The secure copy command scp of OpenSSH can not be used, because it depends on shell access to the SFTP server.
Delete account on SFTP server.
If you no longer serve the client, then you should delete their user account and home directory according to your data retention policy. In the following example, the user account and the home directory, which contains files, that relates to your client.
# pw userdel ann # rm -rf /home/ann
Read log for SFTP server on FreeBSD.
OpenSSH logs authentication related events in /var/log/auth.log. In the event of an error, such as a failure in relation to login, you can read the log and find hints to the cause of the problem.
# tail /var/log/auth.log
Test your new SFTP server.
I recommend, that you test your new SFTP server before letting your clients use it. You should test access, authorization, directory change and file transfer. Not doing so, or not correcting problems, that you might or might not be aware of, could turn into privacy and security related problems. You do not want a call from your client, that he had access to other clients files, or even worse: Learn, that he accidently downloaded it, shared it or used it in any way. This situation, also known as a privacy and security incident, would be a data breach. Not only would it be embarrasing, concerning and troublesome, but also something, that can not be undone. You might also be obligated to report it to your clients and authorities.
More about OpenSSH SFTP server on FreeBSD.
If you need randomly generated strong passwords, which you should be using, whereever you are required to use a password for an online service or other application, then I recommend, that you use my Password Generator.