How to Setup SFTP Server on Debian 12

In this guide, we will show you how to setup sftp server on Debian 12 step-by-step.

SFTP stands for Secure File Transfer Protocol / SSH File Transfer Protocol, it is one of the most common method which is used to transfer files securely over ssh from our local system to remote server and vice-versa. The main advantage of sftp is that we don’t need to install any additional package except ‘openssh-server’, in most of the Linux distributions ‘openssh-server’ package is the part of default installation. Other benefit of sftp is that we can allow user to use sftp only not ssh.

Prerequisites

  • Pre-Installed Debian 12
  • A local user with admin rights
  • Internet Connectivity

Without any further delay, let’s deep dive into SFTP Server installation step on Debian 12.

1) Install OpenSSH Server Package

Sftp is part of openssh server, so for sftp setup we must install openssh-server package using apt command. Open the terminal and run following apt commands

$ sudo apt update
$ sudo apt install openssh-server -y

Install SFTP Server on Debian 12

Once the package is installed, sshd service will start automatically.Execute below command to verify the status of ssh.

$ sudo systemctl status sshd

SSHD Service Status on Debian 12

2) Create a Group and User for sftp

It is highly recommended to create a dedicated group for sftp, in our we are going to create “sftp_grp” group using groupadd command.

$ sudo groupadd sftp_grp

Next, create a local user with name “pkumar” and map this user to the group “sftp_grp” and assign the shell “/usr/sbin/nologin

$ sudo useradd -m -G sftp_grp -s /usr/sbin/nologin pkumar
$ sudo passwd pkumar

Create SFTP Group User Debian 12

Note: Shell “/usr/sbin/nologin” ensures that user can not ssh but can use sftp.

3) Setup SFTP Server on Debian 12

As we have installed openssh-server and created required group and user, let’s configure sftp by editing the file “/etc/ssh/sshd_config“.

Use the text editor and add the following content to end of file.

$ sudo vi /etc/ssh/sshd_config

#Comment Out Below line and a new line
#Subsystem      sftp    /usr/lib/openssh/sftp-server 
Subsystem       sftp    internal-sftp
#Add following lines to end of file.
Match Group sftp_users
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no

save and close the file

 

Setup SFTP Server on Debian 12 By Editing SSHD Config File

To make above changes into the affect, restart ssh service using following systemctl command.

$ sudo systemctl restart sshd

In above ‘sshd_config’ file we have commented out the line which starts with “Subsystem” and added new entry “Subsystem       sftp    internal-sftp”.

  • Match Group sftp_grp”  –> It means only the members of sftp_grp is allowed to used sftp
  • ChrootDierctory %h” –> It means users can only change directories within their respective home directories, they cannot go beyond their home directories, or in other words we can say users are not permitted to change directories, they will get jai like environment within their directories and can’t access any other user’s and system’s directories.
  • “ForceCommand internal-sftp” –> It means users are limited to sftp command only.

4) Create Uploads Folder and Set Permissions

Set the required permissions on user’s home directory using chown and chmod commands.

$ sudo chown root:root /home/pkumar
$ sudo chmod 755 /home/pkumar

Next, create a uploads folder where the user will upload files. Set the required permissions on this upload folder using chown commad.

$ sudo mkdir /home/pkumar/uploads
$ sudo chown pkumar:sftp_grp /home/pkumar/uploads

5) Test Sftp Server

Now that the SFTP server is set up, it’s time to test the sftp server. From a client machine, use an SFTP client like FileZilla WinSCP, or test directly from the command line:

$ ssh [email protected]

Try SSH For SFTP Testing Debian 12

Above command output confirms that user is not allowed to SSH , now try sftp using following command.

$ sftp [email protected]

SFTP Connection Command Line

Let’s try to upload a file using put command.

sftp> put datamig.zip
Uploading datamig.zip to /uploads/datamig.zip
datamig.zip 100% 7091 1.1MB/s 00:00
sftp>

Try to change the directory,

sftp> cd /root
Couldn't stat remote file: No such file or directory
sftp>

Above output confirms that we are able to upload a file from our local system to sftp server and apart from this we have also tested that users cannot change directories.

Let’s try to test SFTP server connection using winscp.

Enter the sftp server ip address along user’s credentials, example is shown below:

Test SFTP Server Using WinSCP

Above window confirms that downloading and uploading a file is working fine. This shows that we have successfully setup SFTP Server on Debian 12.

We hope you have found these instructions helpful, feel free to post your queries and feedback in below comments section.

Also Read: How to Install Ansible (Automation Tool) on Debian 12

7 thoughts on “How to Setup SFTP Server on Debian 12”

  1. Please describe internal-sftp,
    %h,
    I unable to ls -l and pad, cd, get and put command. permission denied,
    Please describe.

    1. %h means users will directly land into its home directory when they do sftp command.
      internal-sftp is a configuration keyword that tells sshd to use SFTP server code built-into sshd.
      You need to set the required permissions on User’s home directory

  2. You can also try SFTPGo

    ‘https://github.com/drakkan/sftpgo’

    it has chroot support builtin, virtual quota, atomic uploads, bandwidth throttling and many other features.

    It can execute configurable custom commands and/or send HTTP notifications on upload, download, delete or rename.

    It is written in Go, so no runtime dependencies, and it works on Windows too

  3. I followed this guide and it worked for me, at least until I rebooted the host. Now, every time I test the connection using WinSCP or Filezilla, its trying to open / folder instead of redirecting to the subfolder under the homefolder for the user. Can’t figure it out, any ideas?

  4. Possible to enable an RSA fingerprint or RSA Key? Or is username / password the only authentication method?

    1. Make the public key directory – mkdir /home/$User/.ssh

      Make the key file to hold the key touch /home/$User/.ssh/authorized_keys

      Give the user ownership of their key folder – chown $User:$User /home/$User/.ssh && chown $User:$User /home/$User/.ssh/authorized_keys

      Modify permissions on ssh folder – chmod 0700 /home/$User/.ssh

      Possibly modify the key file permissions – chmod 640 /home/$User/.ssh/authorized_keys <— Not 100% if this needs to be done try without it first and if it wont work add it in

      Add the public key – /home/$User/.ssh/authorized_keys

      Restart ssh – systemctl restart sshd

Leave a Comment

Your email address will not be published. Required fields are marked *