SFTP (SSH File Transfer Protocol) is a secure file transfer protocol between two systems. It runs over SSH protocol and shares the same port 22. This tutorial will help you to create SFTP only access users (without ssh access) on CentOS 8 and RedHat 8 systems. The user can connect the server with SFTP only and allowed to access the specified directory. Users can’t SSH into the server. Follow the below tutorial to create sftp only account on CentOS 8 and RHEL 8.
Step 1 – Create Account
First of all, create a user account for the sftp access. For this tutorial, we are creating a user named sftpuser with no shell access. Also, set a strong password for the user.
sudo adduser --shell /bin/false sftpuser sudo passwd sftpuser
Changing password for user sftpuser. New password: Retype new password: passwd: all authentication tokens updated successfully.
Step 2 – Create Directory
Now, create the directory structure to be accessible by sftp user. we will restrict the new user to this directory only. So the user can’t access files to other directories.
sudo mkdir -p /var/sftp/files
Change the ownership of the directory to newly created sftp users. So that sftpuser can read and write on this directory.
sudo chown sftpuser:sftpuser /var/sftp/files
You must set the owner and group owner of the /var/sftp to root. The root user has read/write access on this access. Group members and other accounts have only read and execute permissions.
sudo chown root:root /var/sftp sudo chmod 755 /var/sftp
Step 3 – Configure SSH for SFTP
As we know the SFTP runs over the SSH protocol, So we need to configure this in the configuration file. Edit the SSH configuration file in a text editor.
sudo vim /etc/ssh/sshd_config
And add the following settings at end of the file.
Match User sftpuser ForceCommand internal-sftp PasswordAuthentication yes ChrootDirectory /var/sftp PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no
Save the configuration and restart SSH service to apply changes.
sudo systemctl restart sshd.service
All done, Your system is ready to accept sftp only connection for the created account. Let’s test the sftp connection and also make sure that the user is not authorized to SSH.
Step 4 – Test SFTP Connection
I am using FileZilla for the connection to the SFTP instance from my Windows systems. Linux desktop users can also use Filezilla for connection.
For the Linux server, users can use sftp command-line utility to connect to remote sftp instance.
sftp [email protected]
Connecting to sftp.tecadmin.net... [email protected]'s password: sftp>
Connect with FileZilla:
This account is configured for SFTP only connection. So if any user tried to connect via SSH will be disconnected immediately after successful authentication. User will get below message:
ssh [email protected]
[email protected]'s password: This service allows sftp connections only. Connection to sftp.tecadmin.net closed.
The above message (This service allows sftp connections only.) shows that the user has sftp access only. Users can’t connect server over SSH.
2 Comments
Hi ,
In such a configuration, can we allow password less login for the users ? Which means by sharing ssh pub key ?
Thanks
Luke
Where would you store the public key for a user if you wanted to keys? That is where would the authorized_keys file be store?