2.3. Linux Installation¶

2.3.3.1. Unpacking the archive¶

After downloading the compressed archive, you can extract its files using the following command:

tar xfz sftpplus-os-arch-version.tar.gz

To install SFTPPlus, move (or copy/link) the unpacked directory to your preferred installation path, for example: /opt/sftpplus.

mv sftpplus-os-arch-version /opt/sftpplus

SFTPPlus may be installed in any location on the local file system. In this documentation page we assume that SFTPPlus is unpacked in the /opt/sftpplus directory. Do not use spaces or special characters in the SFTPPlus installation path.

2.3.3.2. Automated installation from unpacked archive¶

To facilitate installing SFTPPlus, after unpacking it you can use the shell script found at bin/install.sh in the hierarchy of SFTPPlus files. For example, as root or using sudo:

/opt/sftpplus/bin/install.sh

The install.sh script will guide you through all the necessary steps.

A successful installation also configures SFTPPlus to run at boot. Use the usual systemd commands to manage its service. For example:

systemctl status sftpplus-mft

See the section on starting and stopping SFTPPlus at the end of this page for more details on systemd integration. Otherwise, only go further down this page for manual installation.

If your Linux distribution doesn't use systemd, check the advanced Linux installation page.

2.3.3.3. Manual installation from unpacked archive¶

To install SFTPPlus manually, you have to perform step-by-step all the operations automatically done through the shell script installers, starting with initializing the configuration.

When installing SFTPPlus on a machine for the first time, you need to generate the initial configuration file and machine-specific SSH keys. A self-signed SSL certificate will also be generated to help with the initial FTPS and HTTPS testing.

To initialize a fresh SFTPPlus installation, execute the following command (where ADMIN should be replaced with your favourite administrative username and PASS with a password to be used for the SFTPPlus administrative user):

cd /opt/sftpplus
./bin/admin-commands.sh initialize --init-admin ADMIN --init-password PASS

Default configuration allows external connections to the management web page. Therefore, use a secure password to protect the management web page.

./bin/admin-commands.sh initialize \
    --local-admin-access \
    --init-admin ADMIN \
    --init-password PASS

The initialization step is not required when upgrading SFTPPlus. It will not overwrite the configuration file, SSH keys, and SSL keys and certificates, if existing. In the case that you want to generate a new configuration, manually remove the existing files first.

After initializing the configuration, you need to configure the operating system user and group to be used by SFTPPlus. For improved security, SFTPPlus is started by default under a regular account. This requires a dedicated operating system account to be created.

In the following examples, we use the default configuration value of sftpplus for the name of the user to run SFTPPlus.

To create an sftpplus group and user:

groupadd sftpplus
useradd -g sftpplus -c "SFTPPlus" -s /bin/sh -d /opt/sftpplus -M sftpplus

You need to adjust the ownership of the files to match the newly created OS user:

cd /opt && chown -R root:root sftpplus
cd /opt/sftpplus && chown -R sftpplus:sftpplus configuration log run

After configuring the system user and group for SFTPPlus, you need to configure the integration with the init system configuration. On Linux, SFTPPlus' process is managed by the init system bundled with the distribution: systemd, OpenRC, SysV init, etc. This page is dedicated to systemd-based distributions such as Red Hat Enterprise Linux, Ubuntu Server, and Amazon Linux. Instructions for distributions not using systemd are available in our advanced Linux installation page.

To configure your operating system to automatically start SFTPPlus on boot, you can use the systemd unit file provided with SFTPPlus. Customize the WorkingDirectory, ExecStart, and PIDFile paths in accordance to your SFTPPlus installation. By default, the sftpplus user is set for User and Group in the systemd unit file, as SFTPPlus runs under a non-root account at all times. This user must be created as detailed in the previous section. You can also replace it with another username, as long as it's created appropriately.

Edit this file with your favourite editor, e.g. vi:

cd /opt/sftpplus
vi bin/sftpplus-mft.service

When done, copy it to your systemd's system sub-directory:

cd /opt/sftpplus
cp bin/sftpplus-mft.service /etc/systemd/system/

After configuring the systemd integration, enable launching SFTPPlus on boot:

systemctl enable sftpplus-mft

Listening on privileged ports also requires a bit of manual configuration. By default, only the OS root account is allowed to bind ports below 1024. One generic solution is to set up SFTPPlus to listen on a port above 1024, then set up port-forwarding in your firewall configuration.

Another method is to grant permissions to listen on privileged ports using the Linux capabilities system. The relevant capability in this case is cap_net_bind_service, which controls port-listening permissions. Linux capabilities are associated to a process. A dedicated command-line tool named setcap is required to configure capabilities for the associated binary.

To allow SFTPPlus to listen on ports below 1024, the configuring command should look similar to the following example (adjust installation path if needed):

$ sudo setcap 'cap_net_bind_service=+ep' /opt/sftpplus/bin/python

You can then start SFTPPlus as a non-root user and it will still be capable to listen on ports below 1024. For more details, see man 7 capabilities on your Linux distribution.