How to set-up SFTP without SSH access for a user
Most of the time, System Administrators don’t want to allow users to access the SFTP server through SSH (Secure Shell) protocol to increase security. Therefore, such an issue can be fixed by using SFTP Chroot Jail as an alternative.
SFTP (SSH File Transfer Protocol) is enabled by default and we don’t need any additional configuration to activate it. If you create an account and enable SSH access for the user, they will have SFTP access to the server as well.
We can follow these steps to limit the Access of the SFTP users by disabling SSH access as well as restricting the access to a single directory for the user:
Step 1: Create a New SFTP Group
Create a new group for SFTP users. This will help you to restrict the SFTP chroot environment for the users who belong to this group.
# sudo groupadd sftp-group
Step 2: Create a New User
You can either create a new user or use an existing user. Once the user is created, add them to the group that was created in Step 1. Also, set up a password for the newly created user.
# useradd -g sftp-group new-user # passwd new-user verify # groups new-user
Step 3: Create a New Directory for SFTP users
You can set-up a new directory so that you can restrict SFTP access for all the users to a single directory. However, if you want to use an existing directory, you can skip this step.
# mkdir /sftp
Once the new directory is setup, you can create separate directories for each SFTP user within the /sftp directory:
# mkdir /sftp/new-user-dir
So, in the above command, we setup a new directory for a new-user which is named as new-user-dir.
Step 4: Setup Appropriate Directory Permissions and Ownership
The permissions for the directory are very important otherwise the users will not have proper access to their personal SFTP directory.
Firstly, change the group ownership of the /sftp directory to the sftp-group and set the permissions for the group to read and execute.
# sudo chown root:sftp-group /sftp # sudo chmod 755 /sftp # ls -l | grep sftp
Secondly, each user should have full permissions to their own directory. So, you can change the ownership and set the permissions of each user directory as follows:
# sudo chown new-user:sftp-group /sftp/new-user-dir # sudo chmod 711 /sftp/new-user-dir
Changing the permission of the directory to 711 helps the new-user to have read & write access to new-user-dir. However, no one else in the sftp-group will have access to that directory.
Similarly, you can create individual directories for each SFTP user.
Step 5: Restrict SFTP Access to Single Directory
This is the most important step. If you already have existing users and groups that are already setup for SFTP access, you don’t need to follow the above-mentioned steps. You can directly implement Step 5.
In this step, we will disable SSH access for the users as well as restrict their access to /sftp directory. This will ensure that the users are not allowed to go beyond /sftp directory.
Open the sshd_config file by running this command:
# sudo nano /etc/ssh/sshd_config
Add the following commands at the end of the sshd_config file:
Match Group sftp-group ChrootDirectory /sftp ForceCommand internal-sftp
- Match Group: This command helps the SSH server to identify a particular group.
- ForceCommand internal-sftp: It forces the SSH server to run SFTP server upon login. Therefore, the user cannot SSH into the server.
- ChrootDirectory /sftp: It ensures that the users will not be able to access anything beyond this directory. Therefore, users are restricted to one directory.
Save the sshd_config file and restart the sshd service:
sudo systemctl restart sshd
Verify the Setup
Now it time to test you setup. You can try to SSH into the server using the newly created new-user:
# ssh new-user@localhost Error Message: This service allows sftp connections only. Connection to localhost closed.
Therefore, new-user is not allowed to SSH into the system.
Furthermore, you can verify the SFTP access for the new-user:
# sftp new-user@localhost SFTP prompt Connected to localhost. sftp>
You will notice that the users’ root directory is /sftp and they cannot go beyond that directory.
You have successfully restricted the user to SFTP access only. Moreover, user can access a single directory as mentioned in sshd_config file.
In order to demonstrate the Linux images, we have utilized a third-party website. You can use it to practice your Linux skills