How to Create and Restrict sFTP Users in Linux

This brief tutorial shows students and new users how to create sFTP users in Ubuntu Linux and other distributions.

sFTP or Secure File Transfer Protocol is a secure file transfer protocol that runs on top of SSH. It is used to access, manage, and transfer files over an encrypted SSH transport session.

If you want to provide file access via FTP, you should make sure to use sFTP instead for better security. You’ll also need to create a user account to access and manage the files on the sFTP host.

While sFTP protocol is secured, if the user account isn’t provisioned properly, it can leave your server open to vulnerabilities.

Below are some steps that can help you protect your server so that sFTP users can’t access more then only their files.

To create sFTP only user account in Linux, follow the steps below:

Create a user account

The goal of this tutorial is to create an sFTP account that will only be used to access file and nothing more. This will make sure you server isn’t vulnerable to other threats.

Run the account below to create an sFTP only account called sftpuser. You can name the user any name you want. For this tutorial, we’re going to be using sftpuser.

sudo adduser --shell /bin/false sftpuser 

When prompted, type a password and other account details.

Adding user `sftpuser' ...
Adding new group `sftpuser' (1001) ...
Adding new user `sftpuser' (1001) with group `sftpuser' ...
Creating home directory `/home/sftpuser' ...
Copying files from `/etc/skel' ...
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for sftpuser
Enter the new value, or press ENTER for the default
	Full Name []: sFTP User
	Room Number []: 
	Work Phone []: 
	Home Phone []: 
	Other []: 
Is the information correct? [Y/n] y

The above account will be create without shell access. This mean the user will not be able to logon to the server like normal user.

Create a home directory

Now that the account above is created, go and create a sFTP home directory for the account. You can do that by running the commands below.

sudo mkdir -p /var/sftp/downloads 

Now we’ll want to restrict the user to only access to the /var/sftp/downloads folder. The user will be able to download and add to that location.

sudo chown sftpuser:sftpuser /var/sftp/downloads
sudo chown root:root /var/sftp
sudo chmod 755 /var/sftp

Configure SSH

Now that the user account, go and configure the SSH server to provide restrictive access. If you don’t already have SSH Server installed, run the commands below to install it.

sudo apt update
sudo apt install openssh-server

By default, SSH main configurating file is at /etc/ssh/sshd_config

Run the commands below to open SSH configuration file.

sudo nano /etc/ssh/sshd_config 

At the end of the SSH config file, copy and paste the lines below and save.

Match User sftpuser
	ForceCommand internal-sftp
	PasswordAuthentication yes
	ChrootDirectory /var/sftp
	PermitTunnel no
	AllowAgentForwarding no
	AllowTcpForwarding no
	X11Forwarding no

Save the file and exit.

Below are descriptions of the config options above:

  • Match User: Match the user sftpuser
  • ForceCommand internal-sftp: enforce the SFTP only access with no shell.
  • PasswordAuthentication yes:  allows password authentication for the user.
  • ChrootDirectory /var/sftp: restrict access to directories in /var/sftp.
  • AllowAgentForwarding no: no ssh-agent forwarding is permitted.
  • AllowTcpForwarding no no TCP forwarding is permitted.
  • X11Forwarding no no graphical application is permitted.

Restart SSH server to apply the changes.

sudo systemctl restart ssh 

That should do it. The user should be able to connect to the server via sFTP and access the downloads folder only.

Conclusion:

This post showed you how to create and restrict sFTP user account in Linux. If you find any error above, please use the comment form below to report.

You may also like the post below:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.