SFTP is often used to transfer files in addition to usual shell access in SSH, by generic users. In some scenarios, is possible to use OpenSSH SFTP server as a pure file transfer service to replace the traditional FTP service
- Create SFTP only users with a common primary group, such as ftp
- Set home to the file sharing directory for those users
- Set default shell to nologin(8) or false(1) to reject shell access for those users
- Set password for those users normally if you want to use password authentication method
- Modify sshd_config(5) (usually
/etc/ssh/sshd_config), adding followings:
Match Group ftp ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no PermitTTY no PermitTunnel no
The above configuration mean for every users with ftp group logging from SSH, chroot(2) the session processes to their home directory, and allowing only SFTP session. If you need to use public key authentication method for SFTP users, add
AuthorizedKeysFile /etc/ssh/ftp_authorized_keys.%u
and add public keys in /etc/ssh/ftp_authorized_keys.<user-name>.
- Restart sshd(8)
Since file transfer usually uses large amount traffic through the SSH server sshd(8); it may be desirable to switch to the High-performance SSH for sshd(8). High-performance SSH is a fork of OpenSSH that use dynamic transfer buffer size and multi-threading AES-CTR cipher implementation to improve data transfer performance for SSH. Refer to its website on how to install and tune this implementation.
