Have a Question?
< All Topics

How to configure SFTP Server in DEBIAN

Tutorial on how to configure SFTP Server in Debian 10

Configure SFTP Server in DEBIAN

Verified openssh-server is installed

$ sudo apt list openssh-server -a
Listing... Done
openssh-server/stable,now 1:7.9p1-10+deb10u2 amd64 [installed,automatic]
openssh-server/stable 1:7.9p1-10+deb10u1 amd64

Change the following in /etc/ssh/sshd_config

  • Comment out the /usr/lib/openssh/sftp-server
  • Add Subsystem sftp internal-sftp which is a configuration keyword that tells sshd to use the SFTP server code built-into the sshd, instead of running another process (what would typically be the sftp-server).
  • Match group sftp_users – Users who is member of sftp_users can only have SFTP Access but NOT SSH
  • ChrootDirectory /SFTP – Specify the root directory for SFTP
$ sudo nano /etc/ssh/sshd_config

#Subsystem      sftp    /usr/lib/openssh/sftp-server
Subsystem       sftp    internal-sftp

# Example of overriding settings on a per-user basis
Match group sftp_users
        X11Forwarding no
        AllowTcpForwarding no
        ChrootDirectory /SFTP
        ForceCommand internal-sftp

Restart SSH Service

$ sudo systemctl restart sshd

Create Users & Group for SFTP

Create a new group called sftp_users and new user called uat

$ sudo groupadd sftp_users
$ sudo adduser uat

Add user in sftp_users group

$ sudo usermod -G sftp_users uat

Create /SFTP folder and a sub folder /SFTP/uat for user to upload via SFTP

$ sudo mkdir /SFTP
$ sudo mkdir /SFTP/uat

$ sudo chown uat:sftp_users /SFTP/uat

Verify SSH & SFTP Access

Verify that user failed to login via SSH

$ ssh [email protected]
[email protected]'s password:
X11 forwarding request failed on channel 0
This service allows sftp connections only.
Connection to closed.

User login to SFTP successfully

$ sftp [email protected]
Warning: Permanently added '' (RSA) to the list of known hosts.
[email protected]'s password:
Connected to

Login using WinSCP successfully

Configure SFTP Server In DEBIAN

WinSCP with Public Keys for Authentication

Login with SFTP user to create ~/.ssh/authorized_keys and copy the content of public key to authorized_keys

$ su uat
$ mkdir .ssh
$ nano authorized_keys

Configure WinSCP to login to SFTP with Public Key

Table of Contents
Scroll to Top