Help Center/ Huawei Cloud EulerOS/ Best Practices/ Deploying the SFTP Service
Updated on 2025-07-18 GMT+08:00
View PDF
Share

Deploying the SFTP Service

Introduction

Secure File Transfer Protocol (SFTP) is a file transfer protocol that leverages a set of utilities that provide secure access to a remote computer to deliver secure communications. It is considered by many to be the optimal method for secure file transfer. It leverages SSH and provides security and identity authentication functions of SSH. This section describes how to deploy the SFTP service in HCE 2.0.

Preparations

  • Prepare an ECS and assign a public IP address or EIP to the ECS.
  • Ensure that inbound security group rules allow traffic to flow to the ECS over port 22.

Procedure

  1. Configure the SFTP service.

    1. Run the following command to create a user group named sftp: 
      groupadd sftp
    2. Run the following command to create a user for accessing the SFTP service: 
      useradd -g sftp -s /bin/false usftp
    3. Run the following command to set a password for the new user: 
      passwd usftp
    4. Run the following command to create a home directory for the sftp user group: 
      mkdir -p /data/sftp/usftp
    5. Run the following command to change the login directory of the usftp user: 
      usermod -d /data/sftp/usftp usftp
    6. Open the /etc/ssh/sshd_config file and set the following parameters: 
      # Configure Subsystem as follows:
Subsystem sftp internal-sftp

# Append the following content to the end of the file:
Match user usftp # Match the usftp user.
AllowTcpForwarding no # TCP forwarding is not allowed.
X11Forwarding no # X11 forwarding is not allowed.
# Use chroot to specify /data/sftp/%u as the root directory of the user. %u indicates the user name.
ChrootDirectory /data/sftp/usftp
ForceCommand internal-sftp # Forcibly execute internal-sftp.

      Restart the sshd service.

      systemctl restart sshd
    7. Run the following command to create a test file: 
      touch /data/sftp/usftp/test.txt
    8. Run the following commands to set the directory permission: 
      chown -R root:sftp /data/sftp/usftp
chmod 755 /data/sftp/usftp

  2. Verify the SFTP service.

    1. On the other host, run the following command to connect to the SFTP service: 
      sftp usftp@<Public IP address of the SFTP service>
    2. Enter the password and run ls to check the test file. 
      sftp> ls
test.txt