Steps to configure SFTP on Linux server with access restricted to the specific directory only. Also, how to deny SSH login and only allow SFTP login to the user.
In this article, we will walk you through the procedure to configure SFTP on your server and restrict SFTP user access to a specific directory.
The whole process is listed below stepwise. If you have SFTP configured already or users created already you can skip those steps.
- Add SFTP user to the system
- Prepare SFTP directory
- Configure SFTP on SSH service layer
- Allow user for SFTP only and deny SSH access
- Verify access
In below example, we will create user sftp_user1
, allow his SFTP access, deny him ssh access and restrict his SFTP access to the directory /sftp_uploads/user1
Add SFTP user to the system
It’s a simple useradd stuff. For easy management of SFTP users, add the SFTP group as well on your system.
[root@kerneltalks ~]# groupadd sftp_group
[root@kerneltalks ~]# useradd -g sftp_group -s /sbin/nologin sftp_user1
[root@kerneltalks ~]# passwd sftp_user1
Prepare SFTP directory
Keep in mind that you should have a base directory that will be owned by root i.e. ChrootDirectory
. And then under it, you can create your restricted directory where SFTP user is to be restricted. So once SFTP user is logged in he is jailed into ChrootDirectory
and he can not move beyond it.
Set ownership and permissions for the SFTP directory. I kept them exclusively for owner i.e. sftp_user1
only.
[root@kerneltalks ~]# mkdir -p /sftp_uploads/user1
[root@kerneltalks ~]# chown root:root /sftp_uploads
[root@kerneltalks ~]# chown sftp_user1:sftp_group /sftp_uploads/user1
[root@kerneltalks ~]# chmod 700 /sftp_uploads/user1
Configure SFTP in SSH service
SFTP is a sub-service offered by SSH daemon. To enable it, add below lines in SSH configuration file /etc/ssh/sshd_config
If your SSH config file already has /usr/libexec/openssh/sftp-server
enabled as SFTP subsystem then hash it out.
Subsystem sftp internal-sftp
Match Group sftp_group #OR Match User sftp_user1
ChrootDirectory /sftp_uploads
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
Here line-wise –
- Tells SSH daemon to run the internal sftp subsystem.
- Match users with the primary group
sftp_group
or match only specified user i.e.sftp_user1
- When they try to login restrict their working directory under the base
/sftp_upload
- Only allow them to use sftp service and deny ssh login
- Disable all X11 forward for those users so they cant access GUI apps
- Disable TCP forwarding as well for them
Restart SSH daemon to pick up these new configurations. You can restart with HUP
if you don’t want the existing SSH connection to be impacted.
[root@kerneltalks ~]# systemctl restart sshd
[root@kerneltalks ~]# kill -HUP <PID of sshd process>
Verify access
Now there are 3 things we need to verify here –
sftp_user1
should able to connect using the sftp protocolsftp_user1
should not be allowed to log in using SSH- When logged in using sftp,
sftp_user1
should be restricted to/sftp_uploads/user1
directory only.
Let’s test all three points –
[root@kerneltalks ~]# sftp sftp_user1@192.168.0.106
sftp_user1@192.168.0.106's password:
Connected to 192.168.0.106.
sftp>
So the first point is validated.
[root@kerneltalks ~]# ssh sftp_user1@192.168.0.106
sftp_user1@192.168.0.106's password:
Could not chdir to home directory /home/sftp_user1: No such file or directory
This service allows sftp connections only.
Connection to 192.168.0.106 closed.
There! The second point validated.
[root@kerneltalks ~]# sftp sftp_user1@192.168.0.106
sftp_user1@192.168.0.106's password:
Connected to 192.168.0.106.
sftp> ls
user1
sftp> pwd
Remote working directory: /user1
And the third point as well. You can see the SFTP user’s working directory is restricted to /usr1
which is /sftp_uploads/user1
on the SFTP server. Since we jailed him using ChrootDirectoy /sftp_uploads, he is inside it and can not see beyond. Hence /user1
is PWD for SFTP users.
Share Your Comments & Feedback: