How to Setup SFTP Server on Debian 12

To set up an SFTP server on Debian 12, you can use OpenSSH, which provides secure file transfer capabilities. Here's a step-by-step guide:

Step 1 : Install OpenSSH Server:

sudo apt update
sudo apt install openssh-server

Step 2 : Open the SSH server configuration file using a text editor. For example, using Nano:

sudo nano /etc/ssh/sshd_config

Step 3 : Find the following line in the file and uncomment it by removing the # at the beginning if it exists:

#Subsystem sftp /usr/lib/openssh/sftp-server

Change it to:

Subsystem sftp internal-sftp

Step 4 : Add the following block at the end of the file to define the configuration for the SFTP server:

Match Group sftpusers
        ChrootDirectory %h
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

This block configures the SFTP server to chroot users (restrict them to their home directories), force the use of internal SFTP, disable X11 forwarding, and disallow TCP forwarding. You can modify these options based on your requirements.

Step 5 : Save the file and exit the text editor (Ctrl + X, followed by Y and Enter in Nano).

Step 6 : Restart the SSH server to apply the changes:

sudo systemctl restart sshd

Step 7 : Create the SFTP-only user. Replace sftpuser with the desired username:

sudo adduser sftpuser

You will be prompted to enter additional information for the user, including their password. Follow the prompts to set the password accordingly.

Step 8 : Set the user's shell to /sbin/nologin:

sudo usermod -s /sbin/nologin sftpuser

Step 9 : Create the "sftpusers" group:

sudo addgroup sftpusers

Step 10 : Assign the user to the SFTP-only group:

sudo usermod -aG sftpusers sftpuser

Step 11 : If you're using a firewall, allow incoming SSH connections. By default, SSH uses TCP port 22. For example, using ufw (Uncomplicated Firewall):

sudo ufw allow OpenSSH

Test the SFTP connection

Step 12 : Connect to the SFTP server using an SFTP client. You can use popular SFTP clients like FileZilla, WinSCP, or the sftp command-line tool.

If you're using the sftp command-line tool, run the following command:

sftp sftpuser@server_ip_or_hostname

Replace sftpuser with the SFTP-only username you created, and server_ip_or_hostname with the IP address or hostname of the SFTP server.

Step 13 : Enter the password for the SFTP user when prompted.

Step 14 : If the connection is successful, you should now be connected to the SFTP server and see a prompt like sftp>. This indicates that you can now interact with the SFTP server to upload, download, or manage files within the user's home directory.

For example, you can use commands like put to upload files to the server, get to download files, ls to list files, cd to change directories, etc.

Step 15 : Test file transfer by uploading or downloading a file to verify that the SFTP connection is working as expected.

For example, you can use the put command to upload a file:

 put local_file remote_file

Replace local_file with the path to the file on your local machine and remote_file with the desired filename on the SFTP server.

Similarly, you can use the get command to download a file:

 get remote_file local_file

Replace remote_file with the path to the file on the SFTP server and local_file with the desired filename on your local machine.

Step 16 : Attempt to connect to the SSH server using SSH with the SFTP-only user. Replace sftpuser with the username you created:

ssh sftpuser@server_ip_or_hostname

If the connection is not successful and you receive an error like "This account is currently not available" then the SSH access has been successfully restricted for the SFTP-only user.

Now your SFTP server is set up on Debian 12, and the user "sftpuser" (or the username you specified) can connect via SFTP using their credentials. They will be restricted to their home directory and can upload/download files within that directory.