Installing SSH and SFTP are fairly easy and don’t require to much to setup. First thing we always want to do is update YUM and all other Software on the Machine you are installing on. To do so you would run the following two commands.
- yum update yum
- yum update
This is update YUM so it gets the newest Repo’s and make sure you are getting all the latest software. Once those are done you need to make sure you have all the parts of SSH installed so it will run correctly. To install everything you would need to get SSH and SFTP running, run the following command.
- yum install openssh openssh-server openssh-clients openssl-libs
After those are installed it is always good to make a copy of the original SSH config file so if you put something in wrong you can always delete it and have the original to start over with. So we will run the following command to make a copy of the SSH file
- cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
Once that’s done you can edit the Config file to change the port to what ever you want. To edit the file I like to use VIM it is an editor for Linux that displays everything in different colors and just makes it easier to read. At least I think it does. You could use other editor’s a lot of people us just VI, it is like VIM but with out all the colors, their is also NANO. With CentOS 7 if you have not installed VIM or NANO you would want to do that to make these changes to the config file.
To install VIM or NANO use the following commands
- yum install vim
- yum install nano
To Edit the config use the following command
- vim /etc/ssh/sshd_config
By default SSH is on port 22 so you would want to change that to something only you would know. If you are behind a firewall you also could open a random port on your firewall and point that back to your machine on port 22 so you don’t have to make changes to the config file. That’s up to you.
If you made changes to the config file you will need to restart the service by typing the following command.
- systemctl restart sshd.service
That’s all that is needed to get SSH running.
As for SFTP we don’t have a whole lot to do. If you have a user created besides root you can use that username if you would like, or you could create a new user that’s up to you as well.
If you need to create a user you would use the following two commands to do so. For my example I will use sftpuser.
- adduser sftpuser
- passwd sftpuser
Once you type the second command it will ask for the password twice to set the password up.
Now we will setup a directory and permissions for the directory. First we make the directory with the following commands.
- mkdir -p /var/sftp/uploads
Then we set the owner ship to the directory sftp to root
- chown root:root /var/sftp
Then we give root permission to the sftp directory and give our sftp user read and execute rights.
- chmod 755 /var/sftp
Now we change the ownership of the uploads directory to our sftpuser
- chown sftpuser:sftpuser /var/sftp/uploads
Now we have the directory and permissions set we can configure the SSH server settings.
We will edit the sshd_config file again.
- vim /etc/ssh/sshd_config
the easiest way to do this is just add the following lines to the bottom of the file
- Match User sftpuser
- ForceCommand internal-sftp
- PasswordAuthentication yes
- ChrootDirectory /var/sftp
- PermitTunnel no
- AllowAgentForwarding no
- AllowTcpForwarding no
- X11Forwarding no
What all those lines do is:
- Match User – tells the SSH server to apply the following commands only to the user specified. Here, we specify sftpuser.
- ForceCommand internal-sftp – forces the SSH server to run the SFTP server upon login, disallowing shell access.
- PasswordAuthentication yes – allows password authentication for this user.
- ChrootDirectory /var/sftp/ – ensures that the user will not be allowed access to anything beyond the /var/sftp directory. You can learn more about chroot in this Ubuntu-based chroot tutorial.
- AllowAgentForwarding no, AllowTcpForwarding no. and X11Forwarding no – disables port forwarding, tunneling and X11 forwarding for this user.
After saving the file we need to restart ssh by
- systemctl restart sshd
Now we can verify we have everything set correctly by trying to SSH to the server and see if we are blocked, if you type the following commands you should get an error message.
- ssh sftpuser@localhost
It will ask for a password then give an error like this:
- “This service allows sftp connections only.
- Connection to localhost closed.”
Then we can try to SFTP like this:
- sftp sftpuser@localhost
Then after putting your password in you should get a message that says “Connected to localhost.” and give you an SFTP Prompt. From here you should be able to view content but you should not be able to change directory’s because we locked them down.
After that you are done. You now have an OS installed that is up to date and has SSH and SFTP access so you can remotely upload files that you need to upload, and you have SSH access so if the server is going to be moved off site or you want to access the machine remotely without needing a Monitor, keyboard, or mouse. All it needs is power and network connection. If you have any questions or comments let me know. I will be happy to answer them to the best of my ability.