How to Setup OpenSSH sftp Server on Ubuntu

Written by: Linuxopsys   |   Last updated: February 28, 2023

If you need to securely transfer files between computers, SFTP is an excellent choice. SFTP is safer and often preferred over SCP (secure copy) because SCP is deprecated and has multiple security risks and issues with no simple solutions.

This tutorial will walk you through the steps of installing an OpenSSH SFTP server on a Ubuntu machine.


SFTP stands for SSH File Transfer Protocol. It is an SSH-based protocol used to securely transfer files between computers. SFTP operates on a single port, 22, which also serves as the default port for SSH.

SFTP is not the same as File Transfer Protocol over SSH or FTPS (File Transfer Protocol over SSL), but rather a different protocol that uses SSH for encryption, authentication and performs the same functions as FTP but with greater compatibility and flexibility.

To know if the SFTP server is running on your Ubuntu machine, use the following command:

sudo service ssh status

Note: If you are still using SCP protocol, would recommend switching to SFTP protocol. This is because SCP is less secure than SFTP. The future release of many Linux distributions would eliminate decades-old SCP protocol.


Before you start setting up the SFTP server on your Ubuntu instance, make sure you have the following prerequisites:

  • A running Ubuntu instance to set up as an SFTP server
  • A client to connect to the SFTP server
  • A user account with root privileges or a non-root user account with sudo privileges

Setup SFTP Server on Ubuntu

With all the prerequisites met, let's now look at how we can actually to set up an SFTP server on an Ubuntu machine using the steps provided below.

Step 1. Install OpenSSH Server

The first step is to install the OpenSSH server on your Ubuntu machine. OpenSSH (also known as OpenBSD Secure Shell) is a free and open-source implementation of the SSH protocol. The SSH server will provide the encryption and authentication services required by SFTP.

If you do not have it installed, you can install it by running the following command:

sudo apt install openssh-server
install openssh server on sftp server

Step 2. Create Group and User for SFTP

The next step is to create an SFTP group to grant SFTP access to users and an SFTP user account which is a member of the sftp group with only file transfer access permissions. Use the following commands to do so:

sudo addgroup sftpaccess
sudo useradd -G sftpaccess -d /var/sftp/ -s /sbin/nologin datauser
create sftp user and group

In the preceding command, we used the useradd command to create the user datauser, assign the user to the sftpaccess group, and finally set the user home directory to /var/sftp/.

Once you are done configure the password for the user by running the following command:

sudo passwd datauser

Step 3. Create SFTP Directory

By default, SFTP's settings allows users to access directories and files outside of their home directory. Access control must be enforced to restrict access and prevent unauthorized usage, especially when multiple users have access to SFTP resources.

To restrict SFTP access to a single directory, it is necessary to ensure that the directory meet the SSH server's permissions requirements. Specifically, the directory and all of its parent directories in the filesystem hierarchy must be owned by root and must not be writable by other users.

Various methods can be used to circumvent this ownership restriction. As a solution, we will create a new directory, namely /var/sftp/uploads, as the designated upload directory. The parent directory of the uploads directory (/var/sftp) will be owned by root and will not be writable by other users, whereas the subdirectory uploads/ will be owned by the user " datauser" giving the user access to the directory to upload files.

First, make a directory in which files can be uploaded and downloaded.

sudo mkdir -p /var/sftp/uploads
create sftp directory to upload content

For sftp servers, you may require some directories as incoming (users can write content to it) and outgoing directories. Create the incoming directory in /var/sftp/uploads/incoming:

sudo mkdir /var/sftp/uploads/incoming
sftp write access directory

Set the owner of /var/sftp directory to root and give set its permissions to 755, so that the root has full access and other users can only read and execute.

sudo chown root:root /var/sftp
sudo chmod 755 /var/sftp
give appropriate permission to sftp root directory

Next, we need to give users in the sftpaccess group access to the /var/sftp/uploads and its sub-directories:

sudo chown root:sftpaccess -R /var/sftp/uploads
set ownership for sftp content directory

We must still enable our SFTP users to write to the incoming directory.

sudo chown <username>:sftpaccess -R //var/sftp/uploads/incoming
set ownership for sftp directory to write contents

We need to configure sftp now that we've finished setting up sftp server directories.

Step 4. Configure SFTP

In this section, we'll change the SSH server configuration to enable the SFTP server on OpenSSH - allow sftp group access, as well as limit sftp access to files outside of /var/sftp/ by configuring chroot jail.

To do so open the SSH configuration file (/etc/ssh/sshd_config) using any text editor of your choice. In this example I will use nano as it is simple and straightforward to use:

sudo nano /etc/ssh/sshd_config

In the SSH server configuration file, scroll to the end of the file and add the following lines:

Match Group sftpaccess
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
sftp config file

Once you are done, save and exit the file. If you are using nano editor use CTRL + O to save and CTRL + X to exit.

Here’s an explanation of what each of those entries do:

  • Match Group sftpaccess - specifies that the following settings will only apply to the users in the sftpacess group.
  • ForceCommand internal-sftp - forces the SSH server to use the SFTP (Secure File Transfer Protocol) subsystem only when the user "datauser" logs in, disallowing shell access.
  • PasswordAuthentication yes - allows password-based authentication for the user "datauser".
  • ChrootDirectory /var/sftp - restricts the user "datauser" to the /var/sftp directory and its subdirectories, preventing them from accessing other directories in the file system.
  • PermitTunnel no - prohibits tunneling (i.e., creating a secure network connection through an SSH connection) for the user "datauser".
  • AllowAgentForwarding no - disables agent forwarding, which allows users to use their ssh keys to log into servers without having to type in their password .
  • AllowTcpForwarding no - disables port forwarding, which enables users to forward network connections over SSH.
  • X11Forwarding no - disables X11 forwarding, which allows for remote graphical connections over SSH.

Step 5. Restart ssh service

Restart the SSH service to apply the changes in the ssh configuration file (/etc/ssh/sshd_config) by running the following command:

sudo systemctl restart sshd
restart ssh service

Step 6. Connect sftp server from Ubuntu

Once you are done configuring the ssh configuration file, you can now connect to the SFTP server from your Ubuntu client the same way you connect to ssh but using the sftp client using password authentication or using your preferred SFTP client. 

Here is an example of using an sftp client that comes pre-installed in most linux distros

sftp datauser@sftpserver01-ip
from command line client connect to sftp server

When you log in to the sftp server, you will be presented with a prompt that allows you to run various commands for uploading files, downloading files, listing files, and so on. Here's an example of a file listing in the current working directory of the sftp server:

list contents in sftp directory

Simply run the help command to see what commands are available for use with the sftp shell:

sftp client commands

Another excellent option for connecting to sftp is to use a GUI SFTP client tool such as WinSCP.

sftp client GUI


This tutorial demonstrated how to set up a sftp server on Ubuntu and provided an example of how to connect to the sftp server once it has been configured using a sftp client.



Please add comments below to provide the author your ideas, appreciation and feedback.

Leave a Reply

Leave a Comment