installing sftp server on ubuntu desktop 22.04.2 の変更点

追加された行はこの色です。
削除された行はこの色です。
installing sftp server on ubuntu desktop 22.04.2 へ行く。
#author("2023-07-21T17:16:42+09:00","","")
#author("2023-07-21T17:20:25+09:00","","")
#nofollow
#norelated
総数:&counter(total); 今日:&counter(today); 昨日:&counter(yesterday);

* もくじ [#mcbb9722]

#contents

参考URL&br;
[[How to Setup an SFTP Server on Ubuntu 22.04 using OpenSSH>https://formatswap.com/blog/linux-tutorials/how-to-setup-an-sftp-server-on-ubuntu-22-04-using-openssh/]]&br;
[[How To Setup SFTP Server on Ubuntu 22.04 LTS>https://www.linuxbuzz.com/how-to-setup-sftp-server-on-ubuntu/]]&br;
[[Linux サーバーに SFTP をインストールして使用する方法>https://ja.linux-console.net/?p=3369#gsc.tab=0]]&br;

* IP固定化しておく [#v88c1a13]
参考url&br;
[[Ubuntu 22.04 LTS ServerのIPを固定する>https://qiita.com/energy_tom1412/items/1652a4a785df4b629f53]]

例
 192.168.3.9


* Install OpenSSH [#l197aa8c]
 ~$ sudo apt update
 ~$ sudo apt install openssh-server


**View SSH Status [#sa73b225]
verify that OpenSSH is installed on your system and actively running.&br;
Use the below command and confirm that you see “active (running)” on the third line.&br;

 ~$ sudo systemctl status ssh

 ● ssh.service - OpenBSD Secure Shell server
      Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
      Active: active (running) since Wed 2023-07-19 14:36:02 JST; 40min ago
        Docs: man:sshd(8)
              man:sshd_config(5)
     Process: 764 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
    Main PID: 798 (sshd)
       Tasks: 1 (limit: 18946)
      Memory: 3.8M
         CPU: 34ms
      CGroup: /system.slice/ssh.service
              └─798 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"
 
  7月 19 14:36:00 OptiPlex-790 systemd[1]: Starting OpenBSD Secure Shell server...
  7月 19 14:36:02 OptiPlex-790 sshd[798]: Server listening on 0.0.0.0 port 22.
  7月 19 14:36:02 OptiPlex-790 sshd[798]: Server listening on :: port 22.
  7月 19 14:36:02 OptiPlex-790 systemd[1]: Started OpenBSD Secure Shell server.
 
* Create New User [#b6cc5820]
create a new user for logging into the SFTP server. &br;
 $ sudo adduser sftpuser

 ユーザー `sftpuser' を追加しています...
 新しいグループ `sftpuser' (1001) を追加しています...
 新しいユーザー `sftpuser' (1001) をグループ `sftpuser' に追加しています...
 ホームディレクトリ `/home/sftpuser' を作成しています...
 `/etc/skel' からファイルをコピーしています...
 新しい パスワード: →例）sftpuser と入力した
 正しくないパスワード: このパスワードには、一部に何らかの形でユーザー名が含まれています
 新しい パスワードを再入力してください: →例）sftpuser と入力した
 passwd: パスワードは正しく更新されました
 sftpuser のユーザ情報を変更中
 新しい値を入力してください。標準設定値を使うならリターンを押してください
 	フルネーム []: 
 	部屋番号 []: 
 	職場電話番号 []: 
 	自宅電話番号 []: 
 	その他 []: 
 以上で正しいですか? [Y/n] Y


* Create New Group [#n09b3f94]
create a new group for our sftpuser.&br;
We will configure SSH to give SFTP access to any user in this group.&br;

 $ sudo addgroup sftpusers

 グループ `sftpusers' (GID 1002) を追加しています...
 完了。


* Add User to Group [#ub1d4b61]
add the user to the new group. &br;
Run the usermod command to add the sftpuser to the sftpusers group.&br;

 $ sudo usermod -a -G sftpusers sftpuser


* Change User’s Home Permissions [#y76c9edf]
set new permissions on the sftpuser’s home directory. &br;
This will allow the SFTP server to access these files. &br;
First execute the chown command followed by the chmod command. &br;
The sftpuser’s home will be the folder you access when you connect to the SFTP server.&br;

 $ sudo chown root:root /home/sftpuser

 $ sudo chmod 755 /home/sftpuser

**確認 [#r58dd86c]
 $ ls -la ..|grep -i --color -e "sftpuser"
 drwxr-xr-x  2 root root 4096  7月 19 15:28 sftpuser

変更前は下記の状態
 drwxr-x---  2 sftpuser sftpuser 4096  7月 19 15:28 sftpuser


* sftpユーザの鍵ファイルを準備しておく [#of33d1ff]
**あらかじめsftpユーザの鍵ファイルid_rsa_of_sftp_user.pubを準備しておく [#ce12cd76]
**sftpユーザの鍵ファイルをセットアップ [#me9fcabc]
 $ sudo bash
 # cd /home/sftpuser/
 # mkdir .ssh
 # chown root:root .ssh
 # chmod 700 .ssh
 # cd .ssh
 # cat id_rsa_of_sftp_user.pub >> authorized_keys
 # chown root:root authorized_keys
 # chmod 600 authorized_keys

**確認 [#y5cc60c6]
 # ls -la /home/ | grep -i --color -e "sftpuser"
 drwxr-xr-x 15 root root 4096  7月 21 14:55 sftpuser

 # ls -la /home/sftpuser/ | grep -i --color -e "ssh"
 drwx------  2 root     root     4096  7月 21 14:56 .ssh

 # ls -la /home/sftpuser/.ssh/
 合計 12
 drwx------  2 root root 4096  7月 21 14:56 .
 drwxr-xr-x 15 root root 4096  7月 21 14:55 ..
 -rw-------  1 root root  410  7月 21 14:56 authorized_keys


* Edit the SSH Config File [#oadb980b]

edit the sshd_config file and edit a few lines. &br;
Open the configuration file using the gvim text editor as shown below.&br;

 $ sudo gvim -f /etc/ssh/sshd_config

** comment out Subsystem directive [#d2a671bf]
original line 115
 Subsystem	sftp	/usr/lib/openssh/sftp-server
modified
 #Subsystem	sftp	/usr/lib/openssh/sftp-server

** PasswordAuthentication yes のコメントをはずす [#x075ad8b]

original line 58
 #PasswordAuthentication yes
modified
 PasswordAuthentication yes

** Add New Lines at line 116 [#t9132eef]

 Subsystem sftp internal-sftp
 
 Match Group sftpusers
      ChrootDirectory /home/%u
      X11Forwarding no
      AllowTCPForwarding no
      ForceCommand internal-sftp


***まとめ [#nc81fd97]
 $ diff -uprN /etc/ssh/sshd_config_original /etc/ssh/sshd_config
 --- /etc/ssh/sshd_config_original	2022-11-23 16:38:19.000000000 +0900
 +++ /etc/ssh/sshd_config	2023-07-21 17:14:57.110675372 +0900
 @@ -26,6 +26,7 @@ Include /etc/ssh/sshd_config.d/*.conf
  # Logging
  #SyslogFacility AUTH
  #LogLevel INFO
 +LogLevel VERBOSE
   
  # Authentication:
  
 @@ -54,7 +55,7 @@ Include /etc/ssh/sshd_config.d/*.conf
  #IgnoreRhosts yes
  
  # To disable tunneled clear text passwords, change to no here!
 -#PasswordAuthentication yes
 +PasswordAuthentication yes
  #PermitEmptyPasswords no
  
  # Change to yes to enable challenge-response passwords (beware issues with
 @@ -112,7 +113,14 @@ PrintMotd no
  AcceptEnv LANG LC_*
  
  # override default of no subsystems
 -Subsystem	sftp	/usr/lib/openssh/sftp-server
 +#Subsystem	sftp	/usr/lib/openssh/sftp-server
 +Subsystem sftp internal-sftp
 +
 +Match Group sftpusers
 +     ChrootDirectory /home/%u
 +     X11Forwarding no
 +     AllowTCPForwarding no
 +     ForceCommand internal-sftp
  
  # Example of overriding settings on a per-user basis
  #Match User anoncvs



* Restart SSH [#peefac96]
 $ sudo service ssh restart


* Configure the Firewall [#cdf6e9c0]
configure the firewall using UFW to control access to our SFTP server. &br;
Start by denying all incoming traffic, and allowing all outgoing.&br;

 $ sudo ufw default deny incoming

 $ sudo ufw default allow outgoing


* Allow SSH [#n2a8e781]
There are two options when allowing SSH through the firewall. &br;
You can either allow any IP to access port 22 (not recommended). &br;
Or you can only allow specific IP(s) through the firewall. &br;
I recommend the second option as it offers higher security. &br;

** Allow SSH (All IP’s) [#x3dcb28e]

If you want to allow any IP, run the following command.&br;

 $ sudo ufw allow ssh

**Allow SSH (Specific IP’s) [#p636c4a0]
If you want to only allow specific IP’s to access the server, &br;
run the following command for each IP you want to have access. &br;
You need to replace “IP-ADDRESS” with your own IP. &br;
This is highly recommended as it offers the highest level of security.&br;

 $ sudo ufw allow from IP-ADDRESS to any port ssh


* Enable UFW [#dfe32d36]
After you have allow the IP’s (or everyone) who you want to have access, &br;
you will need to enable UFW. Run the following command.

 $ sudo ufw enable

* Check Firewall Status [#w3f411ac]
To check the firewall status and verify your configuration. &br;
Check it using the ufw status command. &br;
If you allowed access to only specific IP’s you will see them in the “From” column.&br;

 $ sudo ufw status

 状態: アクティブ
 
 To                         Action      From
 --                         ------      ----
 22/tcp                     ALLOW       Anywhere                  
 22/tcp (v6)                ALLOW       Anywhere (v6)