怎樣通過Debian SFTP進行文件共享

Prerequisites
Before setting up SFTP file sharing on Debian, ensure your system is updated and the OpenSSH server (which includes SFTP) is installed. Most Debian systems include OpenSSH by default, but you can verify and install it with:

sudo apt update && sudo apt upgrade -y
sudo apt install openssh-server -y

This installs OpenSSH, which provides both SSH (secure shell) and SFTP (secure file transfer protocol) functionality.

Step 1: Configure the SSH Server for SFTP
Edit the SSH configuration file to enable SFTP and restrict access (recommended for security). Open the file with a text editor:

sudo nano /etc/ssh/sshd_config

Make the following changes:

• Enable the internal SFTP subsystem (replace or uncomment the Subsystem line):

  Subsystem sftp internal-sftp
  

• Restrict users to SFTP-only (add at the end of the file to apply to a group):

  Match Group sftpusers
      ChrootDirectory %h
      ForceCommand internal-sftp
      AllowTcpForwarding no
      X11Forwarding no
  

  This ensures members of the sftpusers group can only use SFTP and are confined to their home directories.

Step 2: Create a Dedicated SFTP User Group and User
For better security, create a dedicated group for SFTP users and add users to it. This avoids granting broad SSH access to all users.

• Create the group:

  sudo groupadd sftpusers
  

• Create a user (replace sftpuser with your desired username):

  sudo adduser sftpuser
  

  Set a strong password and complete the user creation prompts.
• Add the user to the sftpusers group:

  sudo usermod -aG sftpusers sftpuser
  

  The -aG flag appends the user to the group without removing them from other groups.

Step 3: Set Up SFTP Directories with Correct Permissions
SFTP requires strict directory permissions to function securely. The user’s home directory must be owned by root, while subdirectories (e.g., for file uploads) must be owned by the user.

• Set home directory ownership and permissions:

  sudo chown root:root /home/sftpuser
  sudo chmod 755 /home/sftpuser
  

  This prevents the user from modifying their home directory structure.
• Create a subdirectory for file uploads (e.g., upload):

  sudo mkdir /home/sftpuser/upload
  

• Set ownership and permissions for the upload directory:

  sudo chown sftpuser:sftpusers /home/sftpuser/upload
  sudo chmod 755 /home/sftpuser/upload
  

  The user can now read, write, and execute files in the upload directory.

Step 4: Restart the SSH Service to Apply Changes
After modifying the SSH configuration, restart the service to activate the changes:

sudo systemctl restart sshd

You can verify the service status with:

sudo systemctl status sshd

Ensure the service is active (running).

Step 5: Connect to the SFTP Server
Use an SFTP client to connect to your Debian server. You can choose between command-line or graphical clients:

Command-Line SFTP

Open a terminal and connect using:

sftp sftpuser@your_server_ip

Replace sftpuser with your username and your_server_ip with your server’s IP address. Enter the user’s password when prompted.

Common SFTP Commands:

• List remote files: ls
• Upload a file: put local_file remote_directory (e.g., put ~/Documents/report.txt /upload/)
• Download a file: get remote_file local_directory (e.g., get /upload/report.txt ~/Downloads/)
• Create a remote directory: mkdir new_folder
• Exit the session: exit.

Graphical SFTP Clients

For a more intuitive experience, use clients like:

• FileZilla: Open FileZilla, enter the server IP, username, and password in the “Quick Connect” bar, and click “Connect”.
• WinSCP: Similar to FileZilla, enter connection details and click “Login”.
  These clients provide drag-and-drop functionality for easy file transfers.

Optional: Enhance Security

• Use SSH Key Authentication: Replace password authentication with SSH keys for stronger security. Generate a key pair on your local machine (ssh-keygen) and copy the public key to the server (ssh-copy-id sftpuser@your_server_ip).
• Configure Firewall: Allow only specific IP addresses to access the SFTP port (default: 22) using ufw (Debian’s firewall tool):

  sudo ufw allow from your_trusted_ip to any port 22
  sudo ufw enable
  

• Regularly Update Software: Keep Debian and OpenSSH updated to patch security vulnerabilities.