How to Create and Restrict sFTP Users in Ubuntu Linux

|

|

The tutorial gives a step-by-step guide on how to create and manage Secure File Transfer Protocol (sFTP) user accounts in Ubuntu Linux. It emphasizes using sFTP over FTP due to enhanced security. The guide explains creating an ‘sftpuser’ account without shell access, restricting it to accessing certain directories only, and appropriately configuring SSH server settings…

This brief tutorial shows students and new users how to create sFTP users in Ubuntu Linux and other distributions.

sFTP, or Secure File Transfer Protocol, is a secure file transfer protocol that runs on top of SSH. It is used to access, manage, and transfer files over an encrypted SSH transport session.

If you want to provide file access via FTP, you should use sFTP instead for better security. You’ll also need to create a user account to access and manage the files on the sFTP host.

While the sFTP protocol is secured, if the user account isn’t provisioned correctly, it can open your server to vulnerabilities.

Below are some steps that can help you protect your server so that sFTP users can’t access more than only their files.

To create sFTP only user account in Linux, follow the steps below:

Create a user account

The goal of this tutorial is to create an sFTP account that will only be used to access files and nothing more. This will make sure your server isn’t vulnerable to other threats.

Run the account below to create an sFTP-only account called sftpuser. You can name the user any name you want. For this tutorial, we’re going to be using sftpuser.

sudo adduser --shell /bin/false sftpuser 

When prompted, type a password and other account details.

Adding user `sftpuser' .
Adding new group `sftpuser' (1001) .
Adding new user `sftpuser' (1001) with group `sftpuser' .
Creating home directory `/home/sftpuser' .
Copying files from `/etc/skel' .
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for sftpuser
Enter the new value, or press ENTER for the default
	Full Name []: sFTP User
	Room Number []: 
	Work Phone []: 
	Home Phone []: 
	Other []: 
Is the information correct? [Y/n] y

The above account will be created without shell access. This means the user cannot log on to the server like a regular user.

Create a home directory.

Now that the account above is created create an sFTP home directory for the account. You can do that by running the commands below.

sudo mkdir -p /var/sftp/downloads 

Now we’ll want to restrict the user to only access the /var/sftp/downloads folder. The user will be able to download and add to that location.

sudo chown sftpuser:sftpuser /var/sftp/downloads
sudo chown root:root /var/sftp
sudo chmod 755 /var/sftp

Configure SSH

Now that the user account is configured, the SSH server providese restrictive access. If you don’t already have SSH Server installed, run the commands below to install it.

sudo apt update
sudo apt install openssh-server

By default, SSH main configuration file is at /etc/ssh/sshd_config

Run the commands below to open the SSH configuration file.

sudo nano /etc/ssh/sshd_config 

At the end of the SSH config file, copy and paste the lines below and save.

Match User sftpuser
	ForceCommand internal-sftp
	PasswordAuthentication yes
	ChrootDirectory /var/sftp
	PermitTunnel no
	AllowAgentForwarding no
	AllowTcpForwarding no
	X11Forwarding no

Save the file and exit.

Below are descriptions of the config options above:

  • Match User: Match the user sftpuser
  • ForceCommand internal-sftp: enforce the SFTP only access with no shell.
  • PasswordAuthentication yes:  allows password authentication for the user.
  • ChrootDirectory /var/sftp: restrict access to directories in /var/sftp.
  • AllowAgentForwarding no: no ssh-agent forwarding is permitted.
  • AllowTcpForwarding No TCP forwarding is permitted.
  • X11Forwarding no graphical application is permitted.

Restart the SSH server to apply the changes.

sudo systemctl restart sshd

That should do it. The user should be able to connect to the server via sFTP and access the downloads folder only.

Conclusion:

This post showed you how to create and restrict an sFTP user account in Linux. If you find any error above, please use the comment form below to report.

You may also like the post below:

Like this:



One response to “How to Create and Restrict sFTP Users in Ubuntu Linux”

  1. Juan Jose Gaytan Avatar
    Juan Jose Gaytan

    Excellent! this post was very very helpful. I would like to note that the correct command to restart the SSH daemon is
    sudo systemctl restart sshd
    Regards.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.