SSH + SFTP Setup Guide (Debian/Ubuntu)

1. Install SSH Server

sudo apt update
sudo apt install -y openssh-server

Enable and start service:

sudo systemctl enable ssh
sudo systemctl start ssh
sudo systemctl status ssh

2. Create Groups

• ssh : for users with full SSH shell access
• sftp : for SFTP-only users

sudo addgroup ssh
sudo addgroup sftp

3. Create / Assign Users

• your_user : full SSH + SFTP
• ftpuser01 : SFTP-only

# Full SSH access
sudo usermod -aG ssh your_user

# Create new SFTP-only user
sudo adduser ftpuser01
sudo usermod -aG sftp ftpuser01

!! Replace your_user with your actual username. !! Replace ftpuser01 with your ftp username.

4. Configure SSH Server

Backup config:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.$(date +%F).bk

Edit config:

sudo nano /etc/ssh/sshd_config

Add at the bottom:

# Allow only these groups to connect
AllowGroups ssh sftp

# Restrict SFTP group to SFTP-only
Match Group sftp
    ChrootDirectory /data01/sftp/%u
    ForceCommand internal-sftp
    X11Forwarding no
    AllowTcpForwarding no

!! Replace /data01/sftp/%u with your ChrootDirectory.

Notes:

• AllowGroups ssh sftp : blocks all other users from logging in.
• ChrootDirectory : locks SFTP users inside /data01/sftp/sftp/<username>.
• Directory ownership is strict: must be root:root and non-writable.

5. Setup SFTP Directory

Prepare secure chroot for SFTP:

# Creates the directory path for the SFTP user
sudo mkdir -p /data01/sftp/ftpuser01/files

# -----------------------------------------------------------
# Set secure ownership and permissions for the chroot path.
# All parent directories must be owned by root and not writable by others.
# -----------------------------------------------------------
# Set ownership and permissions for the data01 directory
sudo chown root:root /data01
sudo chmod 755 /data01

# Set ownership/ permissions of the top-level chroot directory to root
sudo chown root:root /data01/sftp
sudo chmod 755 /data01/sftp

# Set ownership/ permissions of the user's home chroot directory to root
sudo chown root:root /data01/sftp/ftpuser01
sudo chmod 755 /data01/sftp/ftpuser01

# -----------------------------------------------------------
# Set ownership of the writable directory.
# The user can only upload files into this sub-folder.
# -----------------------------------------------------------
# Change the owner of the 'files' directory to the sftp user
sudo chown ftpuser01:sftp /data01/sftp/ftpuser01/files

# Give the user full permissions to read, write, and execute in their files folder
sudo chmod 775 /data01/sftp/ftpuser01/files

Result:

• ftpuser01 jailed to /data01/sftp/ftpuser01
• Can only write inside /data01/sftp/ftpuser01/files

6. Configure Firewall (optional, recommended)

sudo apt install -y ufw gufw
sudo ufw allow from 192.168.150.0/24 to any app SSH
sudo ufw enable
sudo ufw reload
sudo ufw status verbose

!! Replace 192.168.150.0/24 with your actual ip range.

7. Restart SSH

sudo systemctl restart ssh
sudo systemctl status ssh

8. (Optional) Colorful Prompt for SSH Users

For better terminal readability (SSH only, not SFTP):

cp ~/.bashrc ~/.bashrc.$(date +%F).bk
nano ~/.bashrc
# Uncomment:
force_color_prompt=yes
source ~/.bashrc

9. Final Result

• your_user : Full SSH shell + SFTP access.
• ftpuser01 : SFTP-only, jailed to /data01/sftp/ftpuser01/files.

10. Connect from Windows

a) SSH (Command-line)

Open PowerShell or Command Prompt:

ssh your_user@192.168.150.10

b) SFTP (Command-line)

sftp ftpuser01@192.168.150.10

c) Graphical Clients

• WinSCP : Free, popular for SFTP/FTP/SSH.

  • Host: 192.168.150.10
  • Username: ftpuser01
  • Protocol: SFTP

• FileZilla : Supports SFTP too.

  • Host: sftp://192.168.150.10
  • Username: ftpuser01
  • Port: 22