sFTP or Secure File Transfer Protocol is a secure file transfer protocol that runs on top of SSH. It is used to access, manage, and transfer files over an encrypted SSH transport session. If you want to provide file access via FTP, you should make sure to use sFTP instead for better security. You’ll also need to create a user account to access and manage the files on the sFTP host. While the sFTP protocol is secured, if the user account isn’t provisioned properly, it can leave your server open to vulnerabilities. Below are some steps that can help you protect your server so that sFTP users can’t access more than only their files. To create sFTP only user account in Linux, follow the steps below:
Create a user account
The goal of this tutorial is to create an sFTP account that will only be used to access files and nothing more. This will make sure your server isn’t vulnerable to other threats. Run the account below to create an sFTP-only account called sftpuser. You can name the user any name you want. For this tutorial, we’re going to be using sftpuser. When prompted, type a password and other account details. The above account will be created without shell access. This means the user will not be able to log on to the server like a normal user.
Create a home directory
Now that the account above is created, go and create an sFTP home directory for the account. You can do that by running the commands below. Now we’ll want to restrict the user to only accessing the /var/sftp/downloads folder. The user will be able to download and add to that location.
Configure SSH
Now that the user account is, go and configure the SSH server to provide restrictive access. If you don’t already have SSH Server installed, run the commands below to install it. By default, SSH main configuration file is at /etc/ssh/sshd_config Run the commands below to open the SSH configuration file. At the end of the SSH config file, copy and paste the lines below and save. Save the file and exit. Below are descriptions of the config options above:
Match User: Match the user sftpuser ForceCommand internal-sftp: enforce the SFTP only access with no shell. PasswordAuthentication yes: allows password authentication for the user. ChrootDirectory /var/sftp: restrict access to directories in /var/sftp. AllowAgentForwarding no: no ssh-agent forwarding is permitted. AllowTcpForwarding no no TCP forwarding is permitted. X11Forwarding no no graphical application is permitted.
Restart the SSH server to apply the changes. That should do it. The user should be able to connect to the server via sFTP and access the downloads folder only. Conclusion: This post showed you how to create and restrict an sFTP user account in Linux. If you find any error above, please use the comment form below to report. You may also like the post below: