Prerequisites
Ensure your Debian system has an active internet connection and basic utilities installed. You’ll need root or sudo privileges to perform administrative tasks.
1. Install OpenSSH Server
Debian includes OpenSSH Server by default, but if it’s not installed, run:
sudo apt update && sudo apt install openssh-server -y
This installs the SSH server, which also provides SFTP functionality. The service starts automatically after installation.
2. Configure SSH for SFTP
Edit the SSH configuration file to enable SFTP and customize access rules:
sudo nano /etc/ssh/sshd_config
Enable Internal SFTP Subsystem: Uncomment or add the line:
Subsystem sftp internal-sftp
This uses OpenSSH’s built-in SFTP server (more secure than the legacy sftp-server).
Restrict Users/Groups (Optional but Recommended): To limit SFTP access to specific users or groups, add a Match block at the end of the file. For example, to restrict a group called sftpusers:
Match Group sftpusers
ChrootDirectory %h # Lock users to their home directories
ForceCommand internal-sftp # Only allow SFTP (no shell access)
AllowTcpForwarding no # Disable port forwarding
X11Forwarding no # Disable X11 forwarding
Save changes and exit the editor (Ctrl+O, Enter, Ctrl+X).
3. Restart SSH Service
Apply configuration changes by restarting the SSH service:
sudo systemctl restart ssh
To ensure the service starts on boot, enable it:
sudo systemctl enable ssh
4. Create SFTP Users
Option A: Individual User with Home Directory
Create a user and set a password:
sudo adduser your_username
By default, the home directory (/home/your_username) is created with correct permissions.
Option B: Add User to sftpusers Group (Recommended for Bulk Management)
First, create the group and add the user:
sudo groupadd sftpusers # Create group if it doesn’t exist
sudo usermod -aG sftpusers your_username # Add user to group
This ensures the user inherits SFTP restrictions from the Match Group block.
5. Set Home Directory Permissions
For SFTP to work correctly (especially with ChrootDirectory), the user’s home directory must be owned by root and have 755 permissions:
sudo chown root:root /home/your_username
sudo chmod 755 /home/your_username
If the user needs to upload files, create a subdirectory (e.g., uploads) and grant ownership to the user:
sudo mkdir /home/your_username/uploads
sudo chown your_username:your_username /home/your_username/uploads
6. Test SFTP Connection
From a remote machine (or locally), connect to the Debian server using SFTP:
sftp your_username@your_server_ip
sftp>).sftp> ls # List remote files
sftp> put local_file.txt # Upload a file
sftp> get remote_file.txt # Download a file
sftp> exit # Quit the session
Optional: Configure Key-Based Authentication (More Secure)
To avoid entering passwords, set up SSH key authentication:
Generate Key Pair on Local Machine:
ssh-keygen -t rsa -b 4096
Press Enter to save the key to the default location (~/.ssh/id_rsa).
Copy Public Key to Server:
ssh-copy-id your_username@your_server_ip
Enter the user’s password. This adds the public key to ~/.ssh/authorized_keys on the server.
Test Key Authentication:
sftp -o PreferredAuthentications=publickey your_username@your_server_ip
You should log in without being prompted for a password.
Troubleshooting Tips
/var/log/auth.log for errors (e.g., permission issues).22 (default SSH/SFTP) is open on your server./etc/ssh/sshd_config can prevent SSH from starting. Validate syntax with sudo sshd -t before restarting.
