Allow SFTP but not SSH to a user in Linux



There are many reasons why you want to achieve this kind of setup. But mostly is just because you don’t want the user messing inside your server, and the user only needs to access (download, upload) files in your server.

Of course, some of you will ask “Why not setup a FTP server Instead?”. Well, the answer is obvious, FTP is not a safe connection and it’s partly obsolete in my own opinion.

Let’s get started.

1) Install OpenSSH Server.

Let’s install OpenSSH Server first.

CentOS / RHEL Distro

sudo yum install openssh-server

Ubuntu / Debian

sudo apt-get install openssh-server

2) Create User, Group and User Directory

In this example we are going to use sftpuser as user, sftp-only as group and /var/www as the Base Directory.

Creating Group

sudo groupadd sftp-only

Now execute this next command to get the Group ID for later.

getent group |grep sftp-only

The output should look like this.

sftp-only:x:500:

Where 500 is our Groud ID. Take note of that ID because we are going to use that later.

Now let’s create an empty skeleton directory which we will use during the creation of our user so no .bashrc etc is copied by default.

sudo mkdir /etc/skel2

Let’s create our user.

sudo useradd --base-dir /var/www --gid 500 --skel /etc/skel2 --create-home --shell /sbin/nologin sftpuser

Setup user password:

sudo passwd sftpuser

Then set user desired password.

(note that we use the Group ID as the value of –gid parameter)

Now let’s create the directories.

sudo mkdir -p /var/www/sftpuser/home/sftpuser

sudo chown root:sftp-only /var/www/sftpuser
sudo chmod 750 /var/www/testuser

sudo chown root:root /var/www/sftpuser/home
sudo chmod 755 /var/www/sftpuser/home

sudo chown sftpuser:sftp-only /var/www/sftpuser/home/sftpuser
sudo chmod 770 /var/www/sftpuser/home/sftpuser

Note that the user directory (/var/www/testuser) should be owned by user root and then group of your sftp group which is sftp-only. Then the exact permission should be 750 or it will not work.

3) Configure your sshd_config

Now, edit our sshd_config which is located at /etc/sshd/sshd_config using your favorite editor. (In this example, I will be using vi, but you can use any text editor you want.)

sudo vi /etc/sshd/sshd_config

Since we are going to use another subsystem for our sftp setup, we have to comment this following line.

#Subsystem      sftp    /usr/libexec/openssh/sftp-server

After that add the following codes on the bottom of sshd_config

Subsystem sftp internal-sftp
Match Group sftp-only
ChrootDirectory /var/www/%u
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

4) Restart SSHD

Now that all is ready, restart sshd.

sudo service sshd restart

Debugging

If you have problem restarting sshd, open sshd_config again and comment out this line.

#UsePAM yes

Then restart again.

If you are still experiencing problems, please comment below and let’s debug it together. 🙂


Comments are closed.