Steps to configure SFTP on Linux server with access restricted to the specific directory only. Also, how to deny SSH login and only allow SFTP login to the user.
In this article, we will walk you through the procedure to configure SFTP on your server and restrict SFTP user access to a specific directory.
The whole process is listed below stepwise. If you have SFTP configured already or users created already you can skip those steps.
- Add SFTP user to the system
- Prepare SFTP directory
- Configure SFTP on SSH service layer
- Allow user for SFTP only and deny SSH access
- Verify access
In below example, we will create user sftp_user1, allow his SFTP access, deny him ssh access and restrict his SFTP access to the directory /sftp_uploads/user1
Add SFTP user to the system
It’s a simple useradd stuff. For easy management of SFTP users, add the SFTP group as well on your system.
[root@kerneltalks ~]# groupadd sftp_group
[root@kerneltalks ~]# useradd -g sftp_group -s /sbin/nologin sftp_user1
[root@kerneltalks ~]# passwd sftp_user1
Prepare SFTP directory
Keep in mind that you should have a base directory that will be owned by root i.e. ChrootDirectory. And then under it, you can create your restricted directory where SFTP user is to be restricted. So once SFTP user is logged in he is jailed into ChrootDirectory and he can not move beyond it.
Set ownership and permissions for the SFTP directory. I kept them exclusively for owner i.e. sftp_user1 only.
[root@kerneltalks ~]# mkdir -p /sftp_uploads/user1
[root@kerneltalks ~]# chown root:root /sftp_uploads
[root@kerneltalks ~]# chown sftp_user1:sftp_group /sftp_uploads/user1
[root@kerneltalks ~]# chmod 700 /sftp_uploads/user1
Configure SFTP in SSH service
SFTP is a sub-service offered by SSH daemon. To enable it, add below lines in SSH configuration file /etc/ssh/sshd_config
If your SSH config file already has /usr/libexec/openssh/sftp-server enabled as SFTP subsystem then hash it out.
Subsystem sftp internal-sftp
Match Group sftp_group #OR Match User sftp_user1
ChrootDirectory /sftp_uploads
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
Here line-wise –
- Tells SSH daemon to run the internal sftp subsystem.
- Match users with the primary group
sftp_groupor match only specified user i.e.sftp_user1 - When they try to login restrict their working directory under the base
/sftp_upload - Only allow them to use sftp service and deny ssh login
- Disable all X11 forward for those users so they cant access GUI apps
- Disable TCP forwarding as well for them
Restart SSH daemon to pick up these new configurations. You can restart with HUP if you don’t want the existing SSH connection to be impacted.
[root@kerneltalks ~]# systemctl restart sshd
[root@kerneltalks ~]# kill -HUP <PID of sshd process>
Verify access
Now there are 3 things we need to verify here –
sftp_user1should able to connect using the sftp protocolsftp_user1should not be allowed to log in using SSH- When logged in using sftp,
sftp_user1should be restricted to/sftp_uploads/user1directory only.
Let’s test all three points –
[root@kerneltalks ~]# sftp sftp_user1@192.168.0.106
sftp_user1@192.168.0.106's password:
Connected to 192.168.0.106.
sftp>
So the first point is validated.
[root@kerneltalks ~]# ssh sftp_user1@192.168.0.106
sftp_user1@192.168.0.106's password:
Could not chdir to home directory /home/sftp_user1: No such file or directory
This service allows sftp connections only.
Connection to 192.168.0.106 closed.
There! The second point validated.
[root@kerneltalks ~]# sftp sftp_user1@192.168.0.106
sftp_user1@192.168.0.106's password:
Connected to 192.168.0.106.
sftp> ls
user1
sftp> pwd
Remote working directory: /user1
And the third point as well. You can see the SFTP user’s working directory is restricted to /usr1 which is /sftp_uploads/user1 on the SFTP server. Since we jailed him using ChrootDirectoy /sftp_uploads, he is inside it and can not see beyond. Hence /user1 is PWD for SFTP users.