Facebook Twitter Instagram
    TecAdmin
    • Home
    • Ubuntu 20.04
      • Upgrade Ubuntu
      • Install Java
      • Install Node.js
      • Install Docker
      • Install LAMP Stack
    • Tutorials
      • AWS
      • Shell Scripting
      • Docker
      • Git
      • MongoDB
    • FeedBack
    • Submit Article
    • About Us
    Facebook Twitter Instagram
    TecAdmin
    Home»Network Services»SSH»How to Create SFTP Only User in Ubuntu & Debian

    How to Create SFTP Only User in Ubuntu & Debian

    RahulBy RahulMay 31, 20213 Mins ReadUpdated:July 7, 2021

    SFTP (SSH File Transfer Protocol) is a secure file protocol used to access, manage, and transfer files over an encrypted SSH transport session. Here SFTP only user means to create an account to access the server via SFTP only. That user doesn’t have SSH shell access. This allows you a secure channel to provide limited access to specific files and directories.

    This guide describes you to create SFTP only users without shell access on Ubuntu and Debian systems.

    Step 1- Creating a New User

    First of all, create a user account in your system to use as an SFTP user. The following command will create a new account named sftpuser with no shell access. You can change the username of your choice

    sudo adduser --shell /bin/false sftpuser 
    

    The command will prompt for the password to set for a new account.

    Step 2 – Create Directory for SFTP

    Now, create the directory structure to be accessible by the SFTP user.

    sudo mkdir -p /var/sftp/files 
    

    Here we will allow users to access the “files” directory only.

    Now, change the ownership of the files directory to the sftpuser. So that SFTP users can read and write on this directory only. No files outside of this directory will be accessible.

    sudo chown sftpuser:sftpuser /var/sftp/files 
    

    And set the owner and group owner of the /var/sftp to root. The root user has read/write access on this access. Group members and other accounts have only read and execute permissions.

    sudo chown root:root /var/sftp 
    sudo chmod 755 /var/sftp 
    

    It will restrict SFTP users from writing files under /var/sftp directory.

    Step 3 – Configure sshd for SFTP Only

    /etc/ssh/sshd_config is the main configuration file of the OpenSSH server. Be careful with changing in this configuration file, because any mistake can lead connection lost.

    Eit the SSH configuration file in a text editor:

    sudo vim /etc/ssh/sshd_config 
    

    and add the following settings at end of file.

    Match User sftpuser
    	ForceCommand internal-sftp
    	PasswordAuthentication yes
    	ChrootDirectory /var/sftp
    	PermitTunnel no
    	AllowAgentForwarding no
    	AllowTcpForwarding no
    	X11Forwarding no
    

    Save the file and close.

    The directives are:

    • Match User Defines the username, on which the SFTP only configurations applied. In our case it is: sftpuser
    • ForceCommand internal-sftp enforce the SFTP only access to user and restrict for the shell access.
    • PasswordAuthentication yes allows password authentication for the user.
    • ChrootDirectory /var/sftp Restrict user to access directories under this directory only. Here /var/sftp is act as root directory of the user.
    • AllowAgentForwarding no Specifies whether ssh-agent forwarding is permitted. The default is yes.
    • AllowTcpForwarding no Specifies whether TCP forwarding is permitted. The default is yes.
    • X11Forwarding no Specified where the graphical application is permitted for not

    Restart SSH service to apply new settings:

    sudo systemctl restart ssh 
    

    That’s it. You have successfully completed the instructions to create an SFTP only user on Debian-based systems.

    Step 4 – Security Tips (Options)

    Here are some basic but important security tips for SFTP accounts in a productions environment.

    1. Run SSH server on a non-standard port
    2. Disallow the password authentication and configure key based authentication
    3. Make sure the firewall is restricted for specific IP addresses only
    4. And keep the openssh package up to date

    Conclusion

    This tutorial describes you create SFTP only users in the Ubuntu system. It will disabled shell access for the same users to restrict to a specified directory only.

    FTP SFTP SSH
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email WhatsApp
    Previous ArticleHow To Install Go 1.17 on Ubuntu 20.04
    Next Article (Fixed) Cannot drop the database because it is being used for replication. (Microsoft SQL Server, Error: 3724)

    Related Posts

    How to Create SFTP User in Ubuntu 22.04 (No Shell Access)

    Updated:June 14, 20224 Mins Read

    (Resolved) userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms

    Updated:May 10, 20221 Min Read

    Adding a New SSH Key in GitHub

    Updated:April 1, 20223 Mins Read

    10 Best Linux FTP Clients in 2022

    5 Mins Read

    How to Create SFTP Only User in Debian 11

    Updated:September 26, 20214 Mins Read

    How to Disable Strict Host Key Checking in SSH

    Updated:September 25, 20212 Mins Read

    2 Comments

    1. Akshay on March 9, 2022 8:32 am

      Hi Rahul,

      Could you help me to understand the below configuration. I couldn’t find details related to “-m” option in man pages of sshd_config.

      # sftp subsystem
      Subsystem sftp internal-sftp -m 117

      Is -m a valid option? If so, may I know what does -m 117 does?

      Reply
    2. Johnson on May 31, 2021 12:46 pm

      Thanks, Helped me a lot.

      Reply

    Leave A Reply Cancel Reply

    Recent Posts
    • How To Install Docker on Ubuntu 22.04
    • How to Install Bower on Ubuntu 22.04 & 20.04
    • How to run “npm start” through Docker
    • Filesystem Hierarchy Structure (FHS) in Linux
    • How to accept user input in Python
    Facebook Twitter Instagram Pinterest
    © 2022 Tecadmin.net. All Rights Reserved | Terms  | Privacy Policy

    Type above and press Enter to search. Press Esc to cancel.