Steps to configure SFTP on Linux server with access restricted to the specific directory only. Also, how to deny SSH login and only allow SFTP login to the user.
In this article, we will walk you through the procedure to configure SFTP on your server and restrict SFTP user access to a specific directory.
The whole process is listed below stepwise. If you have SFTP configured already or users created already you can skip those steps.
- Add SFTP user to the system
- Prepare SFTP directory
- Configure SFTP on SSH service layer
- Allow user for SFTP only and deny SSH access
- Verify access
In below example, we will create user
sftp_user1, allow his SFTP access, deny him ssh access and restrict his SFTP access to the directory
Add SFTP user to the system
It’s a simple useradd stuff. For easy management of SFTP users, add the SFTP group as well on your system.
[root@kerneltalks ~]# groupadd sftp_group [root@kerneltalks ~]# useradd -g sftp_group -s /sbin/nologin sftp_user1 [root@kerneltalks ~]# passwd sftp_user1
Prepare SFTP directory
Keep in mind that you should have a base directory that will be owned by root i.e.
ChrootDirectory. And then under it, you can create your restricted directory where SFTP user is to be restricted. So once SFTP user is logged in he is jailed into
ChrootDirectory and he can not move beyond it.
Set ownership and permissions for the SFTP directory. I kept them exclusively for owner i.e.
[root@kerneltalks ~]# mkdir -p /sftp_uploads/user1 [root@kerneltalks ~]# chown root:root /sftp_uploads [root@kerneltalks ~]# chown sftp_user1:sftp_group /sftp_uploads/user1 [root@kerneltalks ~]# chmod 700 /sftp_uploads/user1
Configure SFTP in SSH service
SFTP is a sub-service offered by SSH daemon. To enable it, add below lines in SSH configuration file
If your SSH config file already has
/usr/libexec/openssh/sftp-server enabled as SFTP subsystem then hash it out.
Subsystem sftp internal-sftp Match Group sftp_group #OR Match User sftp_user1 ChrootDirectory /sftp_uploads ForceCommand internal-sftp X11Forwarding no AllowTcpForwarding no
Here line-wise –
- Tells SSH daemon to run the internal sftp subsystem.
- Match users with the primary group
sftp_groupor match only specified user i.e.
- When they try to login restrict their working directory under the base
- Only allow them to use sftp service and deny ssh login
- Disable all X11 forward for those users so they cant access GUI apps
- Disable TCP forwarding as well for them
Restart SSH daemon to pick up these new configurations. You can restart with
HUP if you don’t want the existing SSH connection to be impacted.
[root@kerneltalks ~]# systemctl restart sshd [root@kerneltalks ~]# kill -HUP <PID of sshd process>
Now there are 3 things we need to verify here –
sftp_user1should able to connect using the sftp protocol
sftp_user1should not be allowed to log in using SSH
- When logged in using sftp,
sftp_user1should be restricted to
Let’s test all three points –
[root@kerneltalks ~]# sftp email@example.com firstname.lastname@example.org's password: Connected to 192.168.0.106. sftp>
So the first point is validated.
[root@kerneltalks ~]# ssh email@example.com firstname.lastname@example.org's password: Could not chdir to home directory /home/sftp_user1: No such file or directory This service allows sftp connections only. Connection to 192.168.0.106 closed.
There! The second point validated.
[root@kerneltalks ~]# sftp email@example.com firstname.lastname@example.org's password: Connected to 192.168.0.106. sftp> ls user1 sftp> pwd Remote working directory: /user1
And the third point as well. You can see the SFTP user’s working directory is restricted to
/usr1 which is
/sftp_uploads/user1 on the SFTP server. Since we jailed him using ChrootDirectoy /sftp_uploads, he is inside it and can not see beyond. Hence
/user1 is PWD for SFTP users.